On Tue, May 31, 2011 at 10:39 PM, Kris Selden <[email protected]> wrote: > Why can't you just revoke the refresh token for a client when you change the > client secret? > > Is it not easier to revoke a token than it is to rotate the client secret > (which is usually configured or embedded in the client whereas the token is > issued)?
As I noted in my original e-mail on this thread, I was talking specifically about the web server flow. This is one area where the security considerations for installed applications are different than for web servers. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
