> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Lu, Hui-Lan (Huilan)
> Sent: Thursday, March 17, 2011 2:31 PM
> The required binding of the client and refresh token is implied. For clarity,
> I
> would suggest to make it explcit with the following edits:
>
> + In section 1.5, after the first sentence, add "Unlike the access token, the
> refresh token is bound to the client and is consumed only by the
> authorization server."
The refresh token is bound to the
client it was issued to, and its usage requires client authentication.
> + On p. 33, the sentence "The client includes its authentication credentials
> as
> described in Section 3" is descriptive. Make it prescriptive to read "The
> client
> MUST include its authentication credentials as described in Section 3."
Added instead:
The authorization server MUST validate the client credentials, ensure
that the refresh
token was issued to the authenticated client, validate the refresh
token, and
verify that the resource owner's authorization is still valid.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
