+1 Maybe either way at the issuers discretion (optional) until we have a strong feeling why one technique is particularly problematic. i.e. if the server chooses to provide a new refresh token the old token is expired.
Phil @independentid www.independentid.com [email protected] On 2011-07-12, at 9:32 AM, Brian Eaton wrote: > On Tue, Jul 12, 2011 at 8:29 AM, William J. Mills <[email protected]> > wrote: >> Why would you re-issue a refresh token every usage? What's the use case >> where this makes sense? > > It's key rotation built into the protocol. Even if a refresh token is > stolen, it's going to become useless to the attacker very quickly. > > My main concern with rotating refresh tokens with every use is that it > can cause problems with distributed client apps; they have to keep the > refresh token in sync, and it adds complexity. But for desktop and > mobile apps it's quite a good idea. > > (You can see a similar design in how Active Directory manages kerberos > machine keys. They took a slightly different approach, in that the > client machines phone home to change their keys, but it provides > similar benefits.) > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
