Hi
I'm looking for some guidance on how the client which already owns an
access token can decide, after getting HTTP 400 back from the resource
server it tries to access on behalf of the end user/resource owner, can
decide that the refresh token it has can now be used to get a new access
token.
[1] refers to various error conditions but it is not obvious to me that
the same conditions (some of them) should or can be reported during the
actual client accessing the protected resource.
My question is, what error condition, if any, from [1] should be
reported back to the client failing to access a protected resource due
to the access token being invalid or expired, so that it can help the
client who also owns the refresh token to decide it can use it now...
Thanks, Sergey
[1] http://tools.ietf.org/html/rfc6749#section-5.2
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
