Hi all, I was hoping to get some clarity on a statement in section 2.0 of draft-ietf-oauth-revocation-00.
If the processed token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens issued for that refresh token. My question is on the statement "access tokens issued for that refresh token". What does it mean to have an Access Token "issued" for a Refresh Token? This specific case is clear to me. I am refreshing an Access Token where I keep the same Refresh Token that I used to generate the new Access Token. I see the new Access Token was issued for that Refresh Token. However these two cases are a bit muddy to me. Let’s say I am using the "Resource Owner Password Credentials Grant" where the Access Token Response returns both an Access Token and Refresh Token. Would the Access Token have been issued for that Refresh Token? And let’s say I am refreshing an Access Token but choose to create a new Refresh Token and immediately revoke the original Refresh Token. Would the newly created Access Token have been issued for the original Refresh Token or the new one that was created. If a client would revoke a Refresh Token … I would like the Access Tokens in all of the above cases to be automatically revoked as well. I just want to make sure I understand the model. Thanks. Doug Foiles Intuit
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
