Hi all, during today's office hours call I pointed out that oauth-mtls-13's abstract only mentions access token, although the spec does provide (some) guidance on refresh token binding as well. Although in the end implementers would do the right thing, given that they have to read the spec in its entirety, having a mention of refresh tokens in the abstract as well would make it easier for superficial readers to learn that the spec does address RTs as well. Refresh tokens leakage is one of the top concerns of the customers I deal with, and those people rarely read specs from cover to cover: having language in the abstract explicitly calling out RTs might make some conversations easier.
This is admittedly very minor, but the fix would also be pretty easy,
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
