Does it want to be in the main definition or the security considerations
section?
________________________________
From: Anthony Nadalin <[email protected]>
To: Dick Hardt <[email protected]>
Cc: "OAuth WG ([email protected])" <[email protected]>
Sent: Thursday, August 11, 2011 11:15 AM
Subject: Re: [OAUTH-WG] Refresh Tokens
Many reasons, but none are explained in the specification
From:Dick Hardt [mailto:[email protected]]
Sent: Thursday, August 11, 2011 10:51 AM
To: Anthony Nadalin
Cc: OAuth WG ([email protected])
Subject: Re: [OAUTH-WG] Refresh Tokens
My recollection of refresh tokens was for security and revocation.
security: By having a short lived access token, a compromised access token
would limit the time an attacker would have access
revocation: if the access token is self contained, authorization can be revoked
by not issuing new access tokens. A resource does not need to query the
authorization server to see if the access token is valid.This simplifies access
token validation and makes it easier to scale and support multiple
authorization servers. There is a window of time when an access token is
valid, but authorization is revoked.
On 2011-08-11, at 10:40 AM, Anthony Nadalin wrote:
Nowhere in the specification is there explanation for refresh tokens, The
reason that the Refresh token was introduced was for anonymity. The scenario is
that a client asks the user for access. The user wants to grant the access but
not tell the client the user's identity. By issuing the refresh token as an
'identifier' for the user (as well as other context data like the resource)
it's possible now to let the client get access without revealing anything about
the user. Recommend that the above explanation be included so developers
understand why the refresh tokens are there.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
