Scope having actual meaning to the client (you usage of 'offline' is what I'm
looking at) is something you can define but is not something currently in the
protocol.
I think it's a simpler picture than you are painting:
1) You might get a hint with the expires_in value for when the token will
expire. The client can refresh based on that.
2) If you get an access token failure, then if you have a refresh token you
try to get a new access token.
3) If your refresh token fails (not authorized) to get you a new access
token, then you have to re-authenticate.
HTTP temporary failures and such get retried.
Clients basically have to support that logic flow.
>________________________________
> From: Andreas Åkre Solberg <andreas.solb...@uninett.no>
>To: oauth@ietf.org
>Sent: Thursday, April 19, 2012 1:29 AM
>Subject: [OAUTH-WG] Best-Practice for dealing with OAuth 2.0 Token expiration
>at the Consumer
>
>Please give me feedback if I got anything wrong, or if you have comments.
>
>https://rnd.feide.no/2012/04/19/best-practice-for-dealing-with-oauth-2-0-token-expiration-at-the-consumer/
>
>Kind regards,
>Andreas Åkre Solberg
>UNINETT
>
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
