Sorry to repost this mail to the WG. However, we're still looking for feedback 
on these two issues for our provider implementation.

PS: There was a typo in my first question. Where it reads: "On section 3.1, 
regarding the scope parameter" it should read: "On section 3.1, regarding the 
code parameter".

Best regards,
Diogo Almeida

On Jul 3, 2010, at 12:50 PM, Diogo Almeida wrote:

> Good afternoon,
> 
> I would like to ask the WG two questions regarding -09
> 
> 1)
> On section 3.1, regarding the scope parameter, it reads:
> 
> code
> REQUIRED if the response type is "token" or "code-and-token", otherwise MUST 
> NOT be included. The authorization code generated by the authorization 
> server. The authorization code SHOULD expire shortly after it is issued. The 
> authorization server MUST invalidate the authorization code after a single 
> usage. The authorization code is bound to the client identifier and 
> redirection URI.
> 
> Question: Is it a typo that the "code" parameter is REQUIRED if the response 
> type is "token" or "code-and-token", rather than "code" or "code-and-token"?
> 
> 
> 2)
> Also in section 3.1 or -09, it's stated that the Authorization Response 
> contains the parameters: "code", "access_token", "expires_in", "scope" and 
> "state".
> 
> Question: Would it make sense to also include an OPTIONAL "refresh_token" to 
> make this response more in line with section 4.2. Access Token Response. Or 
> the intention behind the decision of not returning a "refresh_token" here was 
> to make it so that the "access_token" cannot be refreshed this way?
> 
> Best regards,
> Diogo Almeida

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to