On Tue, Jul 12, 2011 at 8:29 AM, William J. Mills <[email protected]> wrote: > Why would you re-issue a refresh token every usage? What's the use case > where this makes sense?
It's key rotation built into the protocol. Even if a refresh token is stolen, it's going to become useless to the attacker very quickly. My main concern with rotating refresh tokens with every use is that it can cause problems with distributed client apps; they have to keep the refresh token in sync, and it adds complexity. But for desktop and mobile apps it's quite a good idea. (You can see a similar design in how Active Directory manages kerberos machine keys. They took a slightly different approach, in that the client machines phone home to change their keys, but it provides similar benefits.) _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
