Hi Amit,
as far as I understand you are asking for a documentation of guidelines for
refresh token lifecycle management. Such guidlines are not in scope for RFC
7009, as it only wants to add a request to the AS to give the client an
(interoperable) way to explicitly revoke tokens. Tokens lifecy
Hi Torsten,
I get the point for a BCP around the revocation/validity of refresh tokens.
I’ll compile a documents for what we thought should be the best practice around
limiting the validity of refresh tokens (too many of these were unused, and
keeping them alive was both a security liability, a
Hi Amit,
there are guidelines on format and process regarding Internet Drafts -
see http://www.ietf.org/ietf-ftp/1id-guidelines.txt.
You may submit an individual draft using the submission tool and mark it
as relevant to the OAuth working group. To get an impression you may
take a look at ht
