Hi Thomas, The approach you've suggested sounds good. Passing just the client_id along with the token and type (regardless of client type) would be consistent with how refresh_token requests are structured. As long as the new RFC obsoletes this one.
Ash
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
