I believe the document would flow better if section 4.12 about Refresh Tokens were moved into section 2. The Refresh Token section contains descriptions of some pretty significant normative behavior, and I worry that it will get lost in the long list of attacks and mitigations.
Section 2 starts with a description: "This section describes the set of security mechanisms the OAuth working group recommends to OAuth implementers.", and the whole section on refresh tokens seems like a pretty significant recommendation. ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
