The required binding of the client and refresh token is implied. For clarity, I would suggest to make it explcit with the following edits:
+ In section 1.5, after the first sentence, add "Unlike the access token, the refresh token is bound to the client and is consumed only by the authorization server." + On p. 33, the sentence "The client includes its authentication credentials as described in Section 3" is descriptive. Make it prescriptive to read "The client MUST include its authentication credentials as described in Section 3." Regards, Huilan LU _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
