Closed jameshfisher closed 7 years ago
Currently the refresh token is strictly more powerful than an access token, defeating the point of this mechanism. There needs to be some way to distinguish them, and verifiers should check whether the token they receive is of the expected type.
Currently the refresh token is strictly more powerful than an access token, defeating the point of this mechanism. There needs to be some way to distinguish them, and verifiers should check whether the token they receive is of the expected type.