Page 4 of the specification says: The client MUST NOT make any assumptions about the timing and MUST NOT use the token again.
In the case of a self-care portal mentioned in - 1.0 Introduction - clients may not be aware that tokens have been revoked. In that scenario is seems probable that clients will try to use revoked tokens at least once.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
