Re: [OAUTH-WG] Refresh Tokens

Dick Hardt <> Thu, 11 August 2011 17:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8EBE021F8C81 for <>; Thu, 11 Aug 2011 10:50:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5ZkRUFGg52hv for <>; Thu, 11 Aug 2011 10:50:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CC8B921F8C7E for <>; Thu, 11 Aug 2011 10:50:28 -0700 (PDT)
Received: by yie12 with SMTP id 12so1745743yie.31 for <>; Thu, 11 Aug 2011 10:51:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=4FhX9OlgaYqpYCmO9jmca+b+abx6uoHRpK5dobrwDZA=; b=mSz+5QRF4mtXgnLGrku0/3Y5huDSFV44LfxYixE5EjGOmXe635gWY3wRC8CJ/zmXrL BiLcntH9LrgUNYpP93m3ewCynU2FO7fQkmB7K4pictIpgWI/gnC4Zd9ltsF5lvNy1crF LliD4ooOlm/5HKmnb1XJPYox+p6UlHNAxiFnI=
Received: by with SMTP id z7mr1149117icj.157.1313085063180; Thu, 11 Aug 2011 10:51:03 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id hq1sm3424156icc.2.2011. (version=TLSv1/SSLv3 cipher=OTHER); Thu, 11 Aug 2011 10:51:02 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary=Apple-Mail-25--229589295
From: Dick Hardt <>
In-Reply-To: <>
Date: Thu, 11 Aug 2011 10:50:59 -0700
Message-Id: <>
References: <>
To: Anthony Nadalin <>
X-Mailer: Apple Mail (2.1084)
Cc: "OAuth WG \(\)" <>
Subject: Re: [OAUTH-WG] Refresh Tokens
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Aug 2011 17:50:29 -0000

My recollection of refresh tokens was for security and revocation.

security: By having a short lived access token, a compromised access token would limit the time an attacker would have access

revocation: if the access token is self contained, authorization can be revoked by not issuing new access tokens. A resource does not need to query the authorization server to see if the access token is valid.This simplifies access token validation and makes it easier to scale and support multiple authorization servers.  There is a window of time when an access token is valid, but authorization is revoked. 

On 2011-08-11, at 10:40 AM, Anthony Nadalin wrote:

> Nowhere in the specification is there explanation for refresh tokens, The reason that the Refresh token was introduced was for anonymity. The scenario is that a client asks the user for access. The user wants to grant the access but not tell the client the user's identity. By issuing the refresh token as an 'identifier' for the user (as well as other context data like the resource) it's possible now to let the client get access without revealing anything about the user. Recommend that the above explanation be included so developers understand why the refresh tokens are there.
> _______________________________________________
> OAuth mailing list