On 08/06/2013 11:53 AM, Kanavin, Alexander wrote:
> I'd propose an alternate (and simpler) solution: when we have a
> refresh token, avoid caching the access token.
So every request from an app for a token would result in a roundtrip
to the token endpoint, and a new access token being issued? That's
abuse of refresh tokens, in my opinion.
Not really, given that the use of refresh tokens is not even mandatory.
Clients are supposed to use
the tokens they've been issued for as long as they can, and one of
SSO's selling points is a secure token cache.
Yes, but this does not contradict the above.