Client Refreshes Access Token

33 views
Skip to first unread message

Jason Hullinger

unread,
Mar 3, 2010, 3:28:51 AM3/3/10
to OAuth WRAP WG
5.4.8 of the spec regarding refreshing the access toke (http://oauth-
wrap-wg.googlegroups.com/web/WRAP-v0.9.7.2.pdf?
gda=PQ2820QAAABFB7PFAFiVedPtjcqT8uuI-
i0735sCYpWrZiyMgzMPZhidFvlYqd_ZjmG9h9kh5-pV6u9SiETdg0Q2ffAyHU-
dzc4BZkLnSFWX59nr5BxGqA) says:

"
Upon receiving the HTTP 401 response when accessing protected resource
per §4, the Client makes an HTTPS request to the Authorization
Server's Refresh Token URL using POST. The request contains the
following parameters:

wrap_client_id
REQUIRED. The Client Identifier

wrap_client_secret
REQUIRED. The Client Secret

wrap_refresh_token
REQUIRED. The Refresh Token that was received in 5.3.4
"

Was this meant to be a server to server call or the clients browser
posting to the providers server?

~/Jason Hullinger

Allen Tom

unread,
Mar 4, 2010, 1:48:12 PM3/4/10
to oauth-...@googlegroups.com
Hi Jason -

This is intended to be a server to server call. The wrap_client_secret is
used to authenticate the client, which makes it unsafe to send to the user's
browser.

Hope that helps
Allen

On 3/3/10 12:28 AM, "Jason Hullinger" <sshj...@gmail.com> wrote:

> 5.4.8 of the spec regarding refreshing the access toke (http://oauth-

>

Jason Hullinger

unread,
Mar 4, 2010, 2:48:13 PM3/4/10
to oauth-...@googlegroups.com
Thanks, this is what I assumed, but wanted to double check. I have another question about 5.3 of the spec, but I'll start another thread.

Thanks again,

~/Jason Hullinger

--
You received this message because you are subscribed to the Google Groups "OAuth WRAP WG" group.
To post to this group, send email to oauth-...@googlegroups.com.
To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/oauth-wrap-wg?hl=en.


Reply all
Reply to author
Forward
0 new messages