Hi all, Refresh token rotation, which involves issuing a new refresh token each time an access token is renewed, is the default for the refresh grant. Do we follow the same practice for the authorization code grant and password grant as well? What is the recommended practice between long-lived refresh tokens and refresh token rotation for these grants?
Additionally, is there a specific requirement for refresh token rotation with JWT access tokens in the authorization code grant and password grant, given that JWT access tokens are renewed per request? Thanks and Regards -- Indeewari Wijesiri
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
