In section 1.5, step 8 in the flow says: The authorization server authenticates the client and validates the refresh token, and if valid, issues a new access token (and, optionally, a new refresh token).
Also, Figure 2, step 8 says: Access Token & Optional Refresh Token Whether or not the refresh token is rotated (as defined in section 6), doesn't the response always include a refresh token? Since it seems likely that the more common use-case will be refresh token rotation, perhaps the wording in section 1.5 should lean that way? Perhaps 1.5, step 8 should say: The authorization server authenticates the client and validates the refresh token, and if valid, issues a new access token and a new refresh token (or uses the same refresh token if certain security requirements are met). Perhaps Figure 2, step 8 should say: Access Token & Refresh Token Best, Micah
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth