On 08/06/2013 09:10 AM, Patrick Ohly wrote:
This assumes that a new token is always valid long enough for the
to finish its task. I suspect that even with simple clients, this may
not always be true. For example, the client might run while a laptop
gets suspended and resume after the token that it uses expired. Always
asking for a new token before each HTTP request would also not work
reliably and without access token caching be too expensive.
A more complex client, one which runs for extended periods of time, will
have to be aware of the need to refresh tokens anyway.
I don't think so. A client should simply assume that the token it gets
is valid, and use it as long as it can. As soon as some calls start to
fail because the token is invalid, it would have to request a new one.
If even the new token is wrong, it should use add the
UiPolicy=RequestPasswordPolicy to the parameters dictionary and request
a new one, and if that also fails, just stop trying.
Note that this flow is not OAuth specific, and the client doesn't need
to know anything about refresh tokens.