[Openid-specs-fapi] Issue #456: Proposal - should we remove support for refresh token rotation from FAPI 2.0 (one of the drafts) (openid/fapi)
Ralph Bragg
issues-reply at bitbucket.org
Thu Oct 14 17:07:35 UTC 2021
New issue 456: Proposal - should we remove support for refresh token rotation from FAPI 2.0 (one of the drafts)
https://bitbucket.org/openid/fapi/issues/456/proposal-should-we-remove-support-for
Ralph Bragg:
Joseph and I have independently been approached by different elements of Brazil regarding the support for Refresh Token rotation in an ecosystem. Given that this credential is bound to a Client and that the authentication mechanisms allowed by FAPI are asymmetric and that it continues to cause significant challenges for Clients when a Refresh Token is lost during refresh token utilisation, are there any benefits of continuing to support RT rotation.
FAPI doesn’t ban the use of refresh token rotation nor call out the potential challenges if a Bank enforces RT rotation on clients. Do we want to do anything about this area in FAPI 2.0 or any of the family of FAPI 2 specifications.
More information about the Openid-specs-fapi
mailing list