[OAUTH-WG] Re: Refresh Token Rotation

2024-08-05 Thread David Waite
On Aug 2, 2024, at 5:36 AM, Indeewari Wijesiri wrote: > Hi Warren, > > Thank you for your attention. > > When public web clients use the authorization code grant for authentication, > a successful response includes an access token and, optionally, a refresh > token. If the access token is a

[OAUTH-WG] Re: Refresh Token Rotation

2024-08-02 Thread Aaron Parecki
> -- > *From:* Indeewari Wijesiri > *Sent:* Friday, August 2, 2024 7:36 AM > *To:* Warren Parad > *Cc:* oauth@ietf.org > *Subject:* [OAUTH-WG] Re: Refresh Token Rotation > > Hi Warren, > > Thank you for your attention. > > When public

[OAUTH-WG] Re: Refresh Token Rotation

2024-08-02 Thread Justin Richer
lue when you use it. - Justin From: Indeewari Wijesiri Sent: Friday, August 2, 2024 7:36 AM To: Warren Parad Cc: oauth@ietf.org Subject: [OAUTH-WG] Re: Refresh Token Rotation Hi Warren, Thank you for your attention. When public web clients use the authorization co

[OAUTH-WG] Re: Refresh Token Rotation

2024-08-02 Thread Indeewari Wijesiri
Hi Warren, Thank you for your attention. When public web clients use the authorization code grant for authentication, a successful response includes an access token and, optionally, a refresh token. If the access token is a JWT rather than an opaque token, the identity server will issue a new JWT

[OAUTH-WG] Re: Refresh Token Rotation

2024-08-02 Thread Warren Parad
Indeewari, I'm confused regarding what you are describing. Would you be able to give additional context? - Warren On Fri, Aug 2, 2024 at 11:25 AM Indeewari Wijesiri wrote: > Hi all, > > Refresh token rotation, which involves issuing a new refresh token each > time an access token is renewed, i