On Thu, Jun 11, 2020 at 3:26 AM Neil Madden <neil.mad...@forgerock.com> wrote:
> +1 > > > On 11 Jun 2020, at 07:36, Torsten Lodderstedt <torsten= > 40lodderstedt....@dmarc.ietf.org> wrote: > > > > I generally agree with the proposal, but I would suggest to limit it to > public clients. > > > > > In case of confidential clients, the refresh token is (via the > client_id) already bound to the client’s secret(s) and those can be > rotated. Additionally binding the refresh token to a DPoP key would limit > it’s applicability w/o a benefit. > I meant *PoP* and not *DPoP*. The client secret is also a variant of PoP. This does not change the value of this sentence: "*refresh_token shall always be bound to a PoP*". -- Francis Pouatcha Co-Founder and Technical Lead at adorys https://adorsys-platform.de/solutions/
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth