Why?
"William J. Mills" <[email protected]> schrieb: I agree that this is something you could do, but it doesn't seem like a good design pattern. _____________________________________________ From: Torsten Lodderstedt <[email protected]> To: Eran Hammer-Lahav <[email protected]>; OAuth WG <[email protected]> Sent: Sunday, July 10, 2011 1:21 AM Subject: Re: [OAUTH-WG] Refresh token security considerations replacement of the refresh token with every access token refresh is an example. The authz server creates and returns a new refresh token value with every access token refreshment. The old value is invalidated and must not be used any further. Note: The authz server keeps track of all old (invalidated) refresh tokens. If a client presents one of those old refresh tokens, the legitimate client has been compromised most likely. The authz then revokes the refresh token and the associated access authorization. regards, Torsten. Eran Hammer-Lahav <[email protected]> schrieb: “the authorization server SHOULD deploy other means to detect refresh token abuse” This requires an example. EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
