In 5.1 (draft 12), if a refresh_token is returned with an access_token, what does expires_in refer to? Strict reading of the spec says it refers to the access_token, but isn't lifetime of the refresh token as important? Should there be a similar "refresh_expires_in"?
Apologies if this was discussed before. Phil [email protected] _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
