On Tue, Mar 23, 2010 at 12:01 PM, David Recordon <record...@gmail.com> wrote: >> §3 >> - Why is the parameter oauth_client_secret required for refreshing access >> tokens? Use cases 2.2 and 2.3 do not require the client to use (possess) a >> secret. Does this imply such client are not entitled to refresh tokens? I >> would suggest to simply remove this parameter. > > It shouldn't be required. Fixed! > http://github.com/daveman692/OAuth-2.0/commit/a30843724f241f3ea1052c83dcfec0127a11fe00
It was required in WRAP because is lets you recover if a client web server that holds many refresh tokens is compromised. You rotate the client secret, and then the attacker loses access to user data. Please add it back. =) _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
