OAuth allows a client to access user resources without revealing the
resource owner's identity to the client. Isn't this anonymity? I
consider this an important property of the protocol.
regards,
Torsten.
On Thu, 11 Aug 2011 21:00:54 -0400, Barry Leiba wrote:
This seems to need a chair to step in. Tony is taking a strong stand
and maintaining it:
On Thu, Aug 11, 2011 at 1:40 PM, Anthony Nadalin
<tony...@microsoft.com> wrote:
Nowhere in the specification is there explanation for refresh
tokens, The
reason that the Refresh token was introduced was for anonymity. The
scenario
is that a client asks the user for access. The user wants to grant
the
access but not tell the client the user's identity. By issuing the
refresh
token as an 'identifier' for the user (as well as other context data
like
the resource) it's possible now to let the client get access without
revealing anything about the user. Recommend that the above
explanation be
included so developers understand why the refresh tokens are there.
So far, though it's been only half a day, I've seen several posts
disagreeing with Tony, and none supporting any change to the text for
this. We're close to ending WGLC, so please post here if you agree
with Tony's suggested change. Otherwise, it looks like consensus is
against.
Barry, as chair
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
