All,I think the draft should explicitly state that the Authorization server MUST use Cache-Control: no-store on all responses that contain tokens or other sensitive information, since this is critical to the security properties of the protocol
Regards, Jeroen _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
