According to http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.2.2 it doesn't look like clients of the implicit oauth2 flow should receive a refreshing token although it looks like the access token can optionally have an expires_in time set. Does this mean there is no step for an implicit client to refresh their access token without involving the user again?
According to http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-6 it looks like a client needs to send in the client credentials, including the client secret, to refresh an access token. This is a no-go for clients that can't securely secure a client secret like a web browser. Is providing no way for an implicit client to refresh an access token without involving the resource owner intended? -Doug Tangren http://lessis.me
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
