Hi Eric,
>- when a client requests an access token, with grant type "password" for
>>example, can the authorization server resend the same refresh token from >the
>last time the same client/resource owner combination requested an >access
>token ? That would prevent the auth database from being flooded with >refresh
>tokens (which do not expire automatically) from badly behaving >client,
>reusing the "password" grant type repeatedly.
>Or did I overlook some security considerations?
Your authorization server could provide the client with the same refresh token
again. The question is whether the authorization server must ensure it is the
same client _instance_ again. Otherwise, this might cause unintended impacts on
other instances of the same client used by the same user on other devices.
The spec does not prevent your authorization server from automatically expiring
refresh tokens (e.g. after some idle time).
>- More about obtaining an access token: is it possible to send additional
>>(and optional) parameters along when the client requests an access token ?
>>The draft states "the authorization server SHOULD ignore unrecognized
>>request parameters.", so I am thinking "yes". Am I correct ?
Doesn't section 8.2 answer this question?
Regards,
Torsten.
Thanks!
Cheers,
Eric Cestari
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
