"Clause 20" does not exist any longer...
Current text:
NOTE: Refresh token rotation is an optional feature defined in [RFC6749] section 6 where the Authorization Server issues a new refresh token to the client as part of the
refresh_token
grant. This specification discourages the use of this feature as it doesn't bring any security benefits for confidential clients, and can cause significant operational issues. However to allow for operational agility, Authorization Servers may implement it providing they meet the requirement in clause 20.¶
However, clause 20 does not exist. This reference needs to point to this item in the AS requirements:
shall not use refresh token rotation unless, in the case a response with a new refresh token is not received and stored by the client, retrying the request (with the previous refresh token) will succeed.
Comments (3)
-
-
- changed component to FAPI2: Security Profile
-
- changed status to resolved
PR merged
- Log in to comment
Brian has a PR for this: https://bitbucket.org/openid/fapi/pull-requests/392