There is a requirement in the core specification (Section "6 Refreshing an Access Token) that authorization server "MUST verify that the resource owner's authorization is still valid" when issuing an access token in exchange for a refresh token. How is such verification done (given that authorization server does not interact with the resource owner at this stage)? What exactly must be checked (e.g., a revocation list, expiration time, ...)?
Zachary _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
