How about write some new text about what refresh tokens are for and when they should be issued. I think this can benefit from its own section. The rest is mostly editorial.
EHL On 7/10/10 8:09 PM, "Brian Eaton" <bea...@google.com> wrote: Hey folks - The client credentials flow should never return a refresh token, for the following reasons: - it's never necessary - it's a security problem - it's inefficient - it's confusing I'll go over each of those points in detail, but here are the changes to the spec I'd like to see. Page 8: diagram shows "with optional refresh token". Delete that. Somewhere in document: add a specific description of the client_id + client_secret produces access_token equation. (This seems to have been dropped in draft 7... or am I missing something?) Here are the detailed reasons why the refresh token in this flow is a bad idea. 1) it's never necessary In order to use a refresh token to get a new access token, you need to present a client-id and a client-secret. If you have a client-id and client-secret, you can just use the client credentials flow to get a new access token. So keeping the refresh token around serves no purpose. 2) it's a security problem Creating a refresh token is roughly equivalent to creating an alternate password (client secret) for the client. It's one more secret that needs to be protected. When a client using the client credentials flow is compromised, you need to reset their client secret to recover. But because this profile is creating refresh tokens, you also need to go and revoke all of the refresh tokens. 3) it's inefficient Refresh tokens are long-lived secrets. They need server-side storage. So every single time a client authenticates, you're going to have to allocate long-lived storage associated with that authentication. 4) it's confusing The spec offers no guidance as to when servers should return refresh tokens, or what clients ought to do with them. This is basically a trap. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
