Good afternoon,

I would like to ask the WG two questions regarding -09

1)
On section 3.1, regarding the scope parameter, it reads:

code
REQUIRED if the response type is "token" or "code-and-token", otherwise MUST 
NOT be included. The authorization code generated by the authorization server. 
The authorization code SHOULD expire shortly after it is issued. The 
authorization server MUST invalidate the authorization code after a single 
usage. The authorization code is bound to the client identifier and redirection 
URI.

Question: Is it a typo that the "code" parameter is REQUIRED if the response 
type is "token" or "code-and-token", rather than "code" or "code-and-token"?


2)
Also in section 3.1 or -09, it's stated that the Authorization Response 
contains the parameters: "code", "access_token", "expires_in", "scope" and 
"state".

Question: Would it make sense to also include an OPTIONAL "refresh_token" to 
make this response more in line with section 4.2. Access Token Response. Or the 
intention behind the decision of not returning a "refresh_token" here was to 
make it so that the "access_token" cannot be refreshed this way?

Best regards,
Diogo Almeida
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to