Thanks. This makes sense. I'm wondering if there should be some explanative text under "refresh_token". Yet, it doesn't make all that much sense to define why something isn't there. Never-the-less, it just seem like an awkward omission after reading it.
I do note, that section 6 (Refreshing an Access Token) does not indicate any standard error responses. This seems to be covered by section 5. The second last paragraph in 6 states: "If valid, the authorization server issues an access token response as described in Section 5". Maybe that should read: "The authorization server issues a response as described in Section 5". So in this case, invalid_grant error would be generated. Regards, Phil phil.h...@oracle.com On 2011-02-03, at 12:43 PM, William Mills wrote: > The general use case for refresh tokens is that they don't have a lifetime, > although they can be invalidated by various things. > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Phil Hunt >> Sent: Thursday, February 03, 2011 12:27 PM >> To: OAuth WG >> Subject: [OAUTH-WG] Refresh Token and Expires_in >> >> In 5.1 (draft 12), if a refresh_token is returned with an access_token, >> what does expires_in refer to? Strict reading of the spec says it >> refers to the access_token, but isn't lifetime of the refresh token as >> important? Should there be a similar "refresh_expires_in"? >> >> Apologies if this was discussed before. >> >> Phil >> phil.h...@oracle.com >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
