According to the spec we should be returning a Pragma header in the token response.
The authorization server MUST include the HTTP "Cache-Control"
response header field [RFC2616] with a value of "no-store" in any
response containing tokens, credentials, or other sensitive
information, as well as the "Pragma" response header field [RFC2616]
with a value of "no-cache".
When I was doing a review of our implementation I found that the Pragma header is missing so adding it to be compliant.
Summary
According to the spec we should be returning a
Pragmaheader in the token response.When I was doing a review of our implementation I found that the
Pragmaheader is missing so adding it to be compliant.