Hello everybody, This is my first post on this mailing list, so I will introduce myself. My name is Bart Wiegmans, I work in Groningen, the Netherlands. I am involved with OAuth2 because I am implementing an authorization server for my employer, all4students / studenten.net.
I have few remarks about refresh tokens. 1. The way I understand it, they are a way to limit the impact of access token exposure. Which I find desirable. 2. However, they can also be seen as credentials for an access token request. In which case, refresh token exposure is a more serious risk than access token exposure. 3. Are there, or will there ever be, multiple refresh token types as there are access token types? 4. Can a public client use refresh tokens at all, or is this meaningless? If not, are public clients that are installed on a users' computer or smartphone required to re-authorise every time an access token expires? (This would be undesirable). Should they request long-lived access tokens? About MAC tokens, I wonder about the practicality of public (javascript) clients using them as a token type. With kind regards, Bart Wiegmans | Developer _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
