As far as I can tell (which isn't very far on many Friday afternoons), there is no way for a client to distinguish an expired access token from a revoked, malformed, etc token as the invalid_token error parameter value encompasses multiple scenarios. Of course, a client could parse the error_description, but this is an optional parameter with no guaranty of a common value among providers.
Given that the client would want to make an explicit decision to request another access token using a refresh token (if available), would it not benefit clients if a specific error parameter value was defined for this scenario? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
