> logout at the authorization server
One important detail here is that if the refresh token has been obtained by
including the scope "offline_access", then its lifetime should not be tied to
the lifetime of the session (see
https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess), h
Hi Torsten,
> On 16 May 2020, at 19:50, Torsten Lodderstedt wrote:
>
> Hi Philippe,
>
>> On 16. May 2020, at 17:08, Philippe De Ryck
>> wrote:
>>
>> Hi all,
>>
>> I am working on formulating developer guidelines on using Refresh Token
>> Rotation (RTR), as required by "OAuth 2.0 for Brows
Hi Philippe,
> On 16. May 2020, at 17:08, Philippe De Ryck
> wrote:
>
> Hi all,
>
> I am working on formulating developer guidelines on using Refresh Token
> Rotation (RTR), as required by "OAuth 2.0 for Browser-Based Apps".
>
> The protection offered by RTR kicks in the moment a refresh t
Hi all,
I am working on formulating developer guidelines on using Refresh Token
Rotation (RTR), as required by "OAuth 2.0 for Browser-Based Apps".
The protection offered by RTR kicks in the moment a refresh token is used
twice, so the assumption is that the attacker has the ability to steal to
