Hi Phil, > Am 16.01.2019 um 00:38 schrieb Phil Hunt <phil.h...@oracle.com>: > > I have had a couple reviewers comment whether this means client > authentication is optional in Sec 3.12 for token refresh: > >> * authentication of this client_id during token refresh, if >> possible, and
This just cites RFC 6749, where authentication for refresh is not required if not possible, I.e. refresh for public clients is unauthenticated. > Do we not mean authentication of the client or some equivalent (e.g. looking > at browser cookies). The BCP goes beyond RFC 6749 by expecting the AS bind refresh tokens to a certain instance of a public client. Pls. see „Authorization server MUST utilize one of the methods listed below to detect refresh token replay for public clients:“ .... kind regards, Torsten. > > Phil > > Oracle Corporation, Cloud Security and Identity Architect > @independentid > www.independentid.com > phil.h...@oracle.com >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
