Closed dshanske closed 2 years ago
I'm not sure if this is mentioned elsewhere, in the section 'Refreshing an Access Token' perhaps mention that a refresh can be requested anytime at the discretion of the client; i.e. it does have to wait for an access code to expire before using its refresh token to request a new one.
Good idea...I was trying to summarize the refresh flow and need to cite other sources for guidance. But that one I think should be included
Re the CHANGES section, that would be after we merge these, we'd add it.
My comments on https://github.com/indieweb/indieauth/pull/94#r706650664 also apply here. The grant_type
parameter by itself is insufficient for an endpoint to determine what action to take in response to a POST request at the token endpoint.
@jamietanna In your implementation, you send client_id, which isn't in my PR.
Noting my description doesn't talk about client authentication, which is used in Oauth2's refresh, and needs discussion.
Hmm, yes client_id
is only required if client authentication is required, which we won't be doing for public (IndieAuth) clients.
I'll check if my server supports not sending it but agreed that can be optional 👍🏽
Hmm, yes
client_id
is only required if client authentication is required, which we won't be doing for public (IndieAuth) clients.I'll check if my server supports not sending it but agreed that can be optional 👍🏽
I was thinking about this. It can be used to check to see if the client matches the original, but if you have a compromised refresh token, you probably have the client ID it came from.
The client_id
parameter is required to be sent to the token endpoint if there is no client authentication. This is true both in OAuth 2.0 and 2.1:
The motivation for sending it in 2.0 is out of date, but it is still required and still can benefit the authorization server, such as being able to search a smaller index by first adding the client_id
to the DB lookup. But you are correct that it doesn't add any additional security protection of the refresh token.
@aaronpk @jamietanna I think I updated everything requested.
Check to see if PR explicitly says that profile information is to be returned in flow.
Tried to add in refresh tokens and expiration.