....
The WRAP refresh token only needs to be accessible to a limited number
of systems. So you can use that to improve the client-side security.
There are WRAP profiles that leverage existing trust relationships to
eliminate the need for refresh tokens entirely.
Is this the point where OpenID and OAuth converge?
I am completely missing the relation to OpenID here... What is it?
Suppose a webite wants to (1) login users interactively and (2) access
web services on behalf of those users which are secured by tokens. From
my point of view, one could integrate token issuance into the login
process. So the application might perform login via Openid and request
access tokens as additional results of the login process from the
identity provider. Does this make sense?
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
