On Tue, May 4, 2010 at 11:32 AM, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > Am 03.05.2010 18:55, schrieb Allen Tom: >> Invalidating the Refresh Token (and presumably also invalidating any >> outstanding Access Tokens) would make sense as an option for applications >> that require a high level of security. However, I do not think that >> invalidating the Refresh Token on every Refresh request should be required >> in the spec - it should be an implementation specific detail. >> > > It could be an optional feature of the spec (as many other features).
Torsten, can you please have a look a the "explicit request for refresh token" thread? Would a "refresh_token_type=single" parameter solve the above? Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
