I think we can remove that line. The refresh token represents the original authorization and the server an decide when it is still valid.
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Zeltsan, Zachary (Zachary) > Sent: Wednesday, July 13, 2011 3:20 PM > To: 'OAuth WG' > Subject: [OAUTH-WG] Validation of a refresh token > > > There is a requirement in the core specification (Section "6 Refreshing an > Access Token) that authorization server "MUST verify that the resource > owner's authorization is still valid" when issuing an access token in exchange > for a refresh token. How is such verification done (given that authorization > server does not interact with the resource owner at this stage)? What exactly > must be checked (e.g., a revocation list, expiration time, ...)? > > Zachary > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
