6.1: Requiring an access token to be unexpired when it is rotated would simplify the text as well as the implementation logic (e.g. around expiration vs. revocation). Why not have the client responsible to rotate the token in a timely manner? If it doesn't, it can always request a new one. #502
The AS can already require clients to rotate in a timely manner, if it wants to. The spec only allows the AS to relax this constraint if it chooses to do so. The current approach moves this complexity to the AS and away from the client, keeping clients simple as possible.
The AS can already require clients to rotate in a timely manner, if it wants to. The spec only allows the AS to relax this constraint if it chooses to do so. The current approach moves this complexity to the AS and away from the client, keeping clients simple as possible.