On Tue, Jul 12, 2011 at 8:29 AM, William J. Mills <[email protected]> wrote:
> Why would you re-issue a refresh token every usage?  What's the use case
> where this makes sense?

It's key rotation built into the protocol.  Even if a refresh token is
stolen, it's going to become useless to the attacker very quickly.

My main concern with rotating refresh tokens with every use is that it
can cause problems with distributed client apps; they have to keep the
refresh token in sync, and it adds complexity.  But for desktop and
mobile apps it's quite a good idea.

(You can see a similar design in how Active Directory manages kerberos
machine keys.  They took a slightly different approach, in that the
client machines phone home to change their keys, but it provides
similar benefits.)
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to