-Doug Tangren http://lessis.me
On Wed, Jun 1, 2011 at 1:39 AM, Kris Selden <[email protected]> wrote: > Why can't you just revoke the refresh token for a client when you change > the client secret? > > This makes sense for a server implementation for added precaution but in practice, most clients dont change client secrets often. > Is it not easier to revoke a token than it is to rotate the client secret > (which is usually configured or embedded in the client whereas the token is > issued)? > > Yes, providing a user means to revoke a token or to break a "connection" is a defacto feature of most server implementations. However, most users will accept the authorization for an app and forget about it.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
