Sorry to repost this mail to the WG. However, we're still looking for feedback on these two issues for our provider implementation.
PS: There was a typo in my first question. Where it reads: "On section 3.1, regarding the scope parameter" it should read: "On section 3.1, regarding the code parameter". Best regards, Diogo Almeida On Jul 3, 2010, at 12:50 PM, Diogo Almeida wrote: > Good afternoon, > > I would like to ask the WG two questions regarding -09 > > 1) > On section 3.1, regarding the scope parameter, it reads: > > code > REQUIRED if the response type is "token" or "code-and-token", otherwise MUST > NOT be included. The authorization code generated by the authorization > server. The authorization code SHOULD expire shortly after it is issued. The > authorization server MUST invalidate the authorization code after a single > usage. The authorization code is bound to the client identifier and > redirection URI. > > Question: Is it a typo that the "code" parameter is REQUIRED if the response > type is "token" or "code-and-token", rather than "code" or "code-and-token"? > > > 2) > Also in section 3.1 or -09, it's stated that the Authorization Response > contains the parameters: "code", "access_token", "expires_in", "scope" and > "state". > > Question: Would it make sense to also include an OPTIONAL "refresh_token" to > make this response more in line with section 4.2. Access Token Response. Or > the intention behind the decision of not returning a "refresh_token" here was > to make it so that the "access_token" cannot be refreshed this way? > > Best regards, > Diogo Almeida _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth