There is a requirement in the core specification (Section "6 Refreshing an 
Access Token) that authorization server "MUST verify that the resource owner's 
authorization is still valid" when issuing an access token in exchange for a 
refresh token. How is such verification done (given that authorization server 
does not interact with the resource owner at this stage)? What exactly must be 
checked (e.g., a revocation list, expiration time, ...)?

Zachary 
 

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to