I have started implementing OAuth 2 on geoloqi.com's API. I have a question/suggestion regarding using refresh tokens.
It is my understanding that access tokens are supposed to be short-lived, and clients should use the refresh token to request a new access token after it expires. When the client requests a new access token, it may also get a new refresh token back in the response. If this is the case, the client will probably use the new refresh token for future requests and discard the old refresh token. Does it make sense in this case that the authorization server should expire the old refresh token? Proposed text for the "refresh_token" section of 4.2 Access Token Response: If the access grant type is "refresh_token", the authorization server SHOULD > expire (revoke?) the refresh token that was used in this request when > providing a new refresh token. Does this make sense?
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
