Hi, I'm trying to do an OAuth 2.0 library, and got a question:
I cannot find a standardized way for an OAuth protected endpoint to report to the client that the Token is not valid (expired or revoked). As a library developer, I'd like to take away as much of possible of the OAuth logic from the application. I need a way to distinguish applicaiton specific protocol errors, from OAuth related errors on protected endpoints. If the library could detect this, it could also in example do refresh the token automatically, and even start a new flow if neccessary. I'm sorry if the answer is obvious. Another question on token validity; the optional expires_in parameter. If I would like to indicate permanent validity, how can I express that? I assume that if I leave the parameter out it is not possible to distinguish between 'undefined / not specified' and 'infitite'. Putting the semanthics into a specific scope could off course work, but lack the feature of beeing standardized between providers. Andreas
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
