On 08/06/2013 03:38 PM, Alberto Mardegan wrote:
> You never saw what specifically, long-lasting access tokens,
> frequent short-lived application processes, a combination of the
> two, or blocking of client keys, or something else?
Blocking of clients because of excessive usage of refresh tokens.
Maybe nobody's been blocked because nobody's been using them
excessively? The spec says this about how they're meant to be used:
"Refresh tokens are issued to the client by the authorization server and
are used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens with
identical or narrower scope"
I don't want to take my chances with a change that goes against the
specification and potentially increases the frequency of token refresh
by several orders of magnitude. Clients are supposed to keep their
access tokens for as long as they work, even if it adds an additional
third step to the apps' interaction with sso.
> I don't understand the point about optional usage of refresh
> tokens either. What does it mean, and why is it relevant?
Using refresh tokens are not mandatory, which means that service
providers are generally fine with clients authenticating more often
No, that means that clients have a choice of using token refresh or
going through full user authorization when the access token no longer
works, with token refresh being the preferred way because of user's
It doesn't mean that clients get to do either at arbitrary intervals set
by them - it should generally only happen when the access token they
have isn't anymore working (see above).