Thanks. This makes sense. I'm wondering if there should be some explanative text under "refresh_token". Yet, it doesn't make all that much sense to define why something isn't there. Never-the-less, it just seem like an awkward omission after reading it.
I do note, that section 6 (Refreshing an Access Token) does not indicate any standard error responses. This seems to be covered by section 5. The second last paragraph in 6 states: "If valid, the authorization server issues an access token response as described in Section 5". Maybe that should read: "The authorization server issues a response as described in Section 5". So in this case, invalid_grant error would be generated. Regards, Phil [email protected] On 2011-02-03, at 12:43 PM, William Mills wrote: > The general use case for refresh tokens is that they don't have a lifetime, > although they can be invalidated by various things. > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Phil Hunt >> Sent: Thursday, February 03, 2011 12:27 PM >> To: OAuth WG >> Subject: [OAUTH-WG] Refresh Token and Expires_in >> >> In 5.1 (draft 12), if a refresh_token is returned with an access_token, >> what does expires_in refer to? Strict reading of the spec says it >> refers to the access_token, but isn't lifetime of the refresh token as >> important? Should there be a similar "refresh_expires_in"? >> >> Apologies if this was discussed before. >> >> Phil >> [email protected] >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
