Not all the flows return a refresh token for security or practicality reasons. Adding refresh token as optional in all access token requests is required to enable upgrading a token to a token with secret. It also can make the spec slightly shorter by not having to repeat all the parameters.
We need to either add it to every token response or allow the client to request a secret directly without having to refresh the token. Proposal: Keep bearer tokens as the default first-issued credential and add an optional refresh token everywhere. EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
