Why is a refresh token needed if an authorization code is being used? I thought the whole point of the authorization code was to get the refresh token so it never crosses the wire?
But, even more interestingly, OpenID negates the whole purpose of the refresh token!
PLEASE RE-READ THE PREVIOUS SENTENCE, IT’S IMPORTANT.
The whole point of the refresh token was to give the client a handle for the user that could be anonymized so that delegating a permission didn’t mean also giving up the user’s identity. But the whole @#$@ purpose of OpenID is to IDENTIFY THE USER!!! So in an OpenID context there should never be a need to have a refresh token. Instead we should be able to include the user’s identity directly into the call.