Over in the ACE working group we are currently having a discussion about refreshing tokens on an RS. I want to make sure that this is not something that this working group has already solved. The basic scenario is:
1. Client gets token T1 and posts it to the RS 2. After some time the RS returns and error to the client about an access issue 3. Client gets a new token from the AS T2, possibly using a refresh token. 4. Client posts the token T2 to the RS 5. The RS somehow needs to associate token T1 and T2 for long term security sessions. I do not believe that OAuth has this issue because there is not currently any concept that a token is used for anything other than a single request/response between the client and the RS. There is no idea of the RS storing tokens long term associated with a TLS session that might need to have the access rights for that TLS session changed. Please provide any feedback that you might have. Thanks Jim _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth