Hi All,
The example at [1] suggests that clients working with a refresh grant
authenticate as usual when they need to use a grant.
The section 3.3 in the threat model document [2] says that
"as long as the confidentiality of the particular token can be
ensured by the client, a refresh token can also be used as an
alternative means to authenticate the client instance itself"
How this can be processed by the access token service that expects a
client to authenticate ?
Example, typically,
Authorization: Basic encodedInfo
If a refresh token is used to authenticate, how to express it ?
client_id=refreshToken in the form payload or URI query ?
Thanks, Sergey
[1] https://tools.ietf.org/html/rfc6749#section-6
[2] https://tools.ietf.org/html/rfc6819#section-3.3
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
