Hi,
I am currently implementing OAuth v2, and I have a couple questions:
- when a client requests an access token, with grant type "password" for
example, can the authorization server resend the same refresh token from the
last time the same client/resource owner combination requested an access token
? That would prevent the auth database from being flooded with refresh tokens
(which do not expire automatically) from badly behaving client, reusing the
"password" grant type repeatedly.
Or did I overlook some security considerations?
- More about obtaining an access token: is it possible to send additional (and
optional) parameters along when the client requests an access token ? The draft
states "the authorization server SHOULD ignore unrecognized request
parameters.", so I am thinking "yes". Am I correct ?
Thanks!
Cheers,
Eric Cestari
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
