On Mon, Nov 26, 2012 at 7:22 PM, Shane B Weeden <[email protected]> wrote:
> My understanding is that it is considered a best practice to rollover a > refresh token on each use - that is when a refresh token is used, both a > new access token and a new refresh token are issued, and the old refresh > token is revoked. > FWIW, I think rotating the refresh token every time it is used is a bit excessive, something time based (e.g. once every few weeks or few months) would be fine as well. The trade-off is that things that happen rarely are more likely to trigger bugs on the client side. =)
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
