On Wed, Jun 15, 2011 at 6:02 PM, Eran Hammer-Lahav <[email protected]>wrote:
> How does it make recovery easier? Why is revoking refresh token any harder > than changing client secret? > Changing a client secret can be done without disrupting users. You can even schedule it, do it every 30 days as part of your general operational procedures. It's part of a healthy system. Revoking refresh tokens every 30 days is not really feasible. > As for the assertion grant type, where is the specified that the refresh > token is bound to the private keys used to produce the assertion used to > obtain the refresh token in the first place? > Well, the spec currently has refresh tokens bound to client ids. And the assertion spec proposal authenticated client ids with public/private key pairs. You wouldn't bind the refresh token directly to a private key, for the same reason that you don't bind the refresh token directly to the client secret. You bind refresh tokens to clients, and then you require client authentication.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
