Hi all,
I discussed OAuth with some of the security experts here at Deutsche
Telekom. We came up w/ an idea for enhancing refresh token handling I
would like to discuss in the WG.
Assumption: refresh tokens have a very long duration (month to
unlimited) and are stored at the client in a pers
I wanted to poke on the idea of not allowing Refresh Tokens for the
assertion flow. I personally like the idea discussed here where the
Refresh Token is used across all flows unless it doesn't make sense.
The argument I heard for not including the Refresh Token for the
assertion flow is that the u
