On Mon, Dec 13, 2010 at 11:00 AM, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > section 5.2 > “The authorization server SHOULD NOT issue a refresh token when the access > grant type is an assertion or a set of client credentials.” > > How shall the server determine whether to issue refresh tokens in case of > grant type “Resource Owner Password Credentials”? In contrast to > authorization code, the user is not directly involved in the interaction > with the authorization server.
Not directly, but the user did provide the credentials. In this case the only long term credentials the client has are the end user credentials, the server better issue a refresh token so the client is not forced to store the user credentials, right? > I would suggest adding an optional request parameter “refresh_token” of type > boolean to explicitly ask the server for a refresh token. I agree that something like this parameter would be useful. Maybe something a bit more generic to allow clients to request access and/or refresh tokens. I will send an extension proposal in this regard. But I don't think this mechanism should be used to decide if the assertion profile issues a refresh token. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
