On Thu, Nov 28, 2019 at 12:12:54AM +0000, Mike Jones wrote: > Please also add these WGLC comments that a Microsoft Azure Active Directory > (AAD) developer asked me to convey: > > > 1. In 4.12, "Authorization servers MUST determine based on their risk > assessment whether to issue refresh tokens to a certain client [...]" I'm not > sure what this requirement requires in practice. AAD issues refresh_tokens to > all clients upon request and user consent and applies different lifetime > policies to different clients. We also routinely make risk assessments about > all manner of things. Does AAD thereby comply with this guideline? Reading > the whole paragraph, I think the paragraph is trying to encourage OAuth > clients which use a RT when the RT is returned but use auth codes when the RT > is not returned. That's fine, but the current text comes off as imposing a > vague requirement on authorization servers. Edits inline - "Authorization > servers MUST MAY dynamically determine based on their risk assessment whether > to issue refresh tokens to a certain client. If the authorization server > decides not to issue refresh tokens, the client may SHOULD refresh access > tokens by utilizi ng other grant types, such as the authorization code grant type. In such a case, the authorization server may utilize cookies and persistent grants to optimize the user experience."
FYI... Using HTML bold/strikethrough doesn't work very well in the text/plain portion, which is the only one displayed in the official archives: https://mailarchive.ietf.org/arch/msg/oauth/Yzw0Mk4Ke3yyCH0Oo7MmatXA_tg -Ben _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
