I think we can remove that line. The refresh token represents the original 
authorization and the server an decide when it is still valid.

EHL

> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Zeltsan, Zachary (Zachary)
> Sent: Wednesday, July 13, 2011 3:20 PM
> To: 'OAuth WG'
> Subject: [OAUTH-WG] Validation of a refresh token
> 
> 
> There is a requirement in the core specification (Section "6 Refreshing an
> Access Token) that authorization server "MUST verify that the resource
> owner's authorization is still valid" when issuing an access token in exchange
> for a refresh token. How is such verification done (given that authorization
> server does not interact with the resource owner at this stage)? What exactly
> must be checked (e.g., a revocation list, expiration time, ...)?
> 
> Zachary
> 
> 
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to