[Openid-specs-fapi] Issue #676: Incorrect reference in note2 (openid/fapi)
Ralph Bragg
issues-reply at bitbucket.org
Fri Feb 23 21:25:31 UTC 2024
New issue 676: Incorrect reference in note2
https://bitbucket.org/openid/fapi/issues/676/incorrect-reference-in-note2
Ralph Bragg:
**NOTE 2**: Refresh token rotation is an optional feature defined in Section 6 of \[@!RFC6749\] where the authorization server issues a new refresh token to the client as part of the `refresh_token` grant. This specification discourages the use of this feature as it does not bring any security benefits for confidential clients, and can cause significant operational issues. However, to allow for operational agility, authorization servers may implement it providing they meet the requirement in Clause 9.
Wrong Reference, should be clause 10.
1. shall not use refresh token rotation unless, in the case a response with a new refresh token is not received and stored by the client, retrying the request \(with the previous refresh token\) will succeed;
More information about the Openid-specs-fapi
mailing list