search

heroku / identity

[DEPRECATED] Login and OAuth management service for Heroku
https://id.heroku.com/
MIT License
246 stars 20 forks source link

Don't send an expired OAuth access token into refresh #149

Closed brandur closed 9 years ago

brandur commented 9 years ago

Token refresh is accomplished using only:

  1. A refresh token held in the user's cookie.
  2. Identity's OAuth secret.

There's no need to send an (expired) access token into the API while trying to perform the refresh.