+1

Maybe either way at the issuers discretion (optional) until we have a strong 
feeling why one technique is particularly problematic. i.e. if the server 
chooses to provide a new refresh token the old token is expired.

Phil

@independentid
www.independentid.com
[email protected]





On 2011-07-12, at 9:32 AM, Brian Eaton wrote:

> On Tue, Jul 12, 2011 at 8:29 AM, William J. Mills <[email protected]> 
> wrote:
>> Why would you re-issue a refresh token every usage?  What's the use case
>> where this makes sense?
> 
> It's key rotation built into the protocol.  Even if a refresh token is
> stolen, it's going to become useless to the attacker very quickly.
> 
> My main concern with rotating refresh tokens with every use is that it
> can cause problems with distributed client apps; they have to keep the
> refresh token in sync, and it adds complexity.  But for desktop and
> mobile apps it's quite a good idea.
> 
> (You can see a similar design in how Active Directory manages kerberos
> machine keys.  They took a slightly different approach, in that the
> client machines phone home to change their keys, but it provides
> similar benefits.)
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to