On Mon, Apr 4, 2011 at 12:38 PM, Zeltsan, Zachary (Zachary) <zachary.zelt...@alcatel-lucent.com> wrote: > According to section "6 Refreshing an Access Token" (-13.txt), client when > making a request for exchanging a refresh token for an access token has to > include its authentication credentials, and the "authorization server MUST > validate the client credentials". > How can this be done if a client is an application that can't have a client > secret? > The authorization code grant does require client authentication (per section > 4.1): > > (D) The client requests an access token from the authorization > server's token endpoint by authenticating using its client > credentials, and includes the authorization code received in the > previous step. > > It appears that the clients that cannot keep its secret cannot use (be > issued) the refresh tokens.
Right, so something has to give, otherwise there is no solution for native apps. An authorization server will have to accept clients with no secrets. Google chose to actually issue secrets even for native apps, with the understanding that they cannot be guarded properly. It just keeps the flows and code paths uniform. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
