[Openid-specs-risc] token-issued event
mscurtescu at google.com
Mon Apr 9 23:35:39 UTC 2018
Currently oauth-event-types defines a token-revoked event (section 2.1):
In a conversation last week it came up that maybe we should also have an
equivalent token-issued event, to be sent every time some new token is
issued (a new authorization code or a new refresh token for example). This
might allow a client to detect if users are phished and some tokens never
reach the intended redirect URIs, for example.
I think there is a similar proposal for actual consent events, not exactly
the same, but in ways similar. Does anyone have pointers to that?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-risc