All,
I think the draft should explicitly state that the Authorization server
MUST use Cache-Control: no-store on all responses that contain tokens
or other sensitive information, since this is critical to the security
properties of the protocol
Regards,
Jeroen
___
Hi,
It appears that people agree excessive token length could be an issue
for interoperability, but opinions vary on how long tokens
could/should/must be. Relatively long tokens will occur when encoding
data associated with the user (access rights, group memberships, etc.),
and integrity prot
