...
Do we have any need or desire to require refresh tokens to be issued in all cases, perhaps due to the positioning of the claims-required request, or is this a matter purely between a requester (client) and AM (authorization server)?
Also, how should the claims-required flow be integrated into the OAuth substrate. We've been asked for input on whether we need new OAuth error messages beyond the HTTP error layer. Do we need a new OAuth error, or an explicit extension point for an UMA error, or no explicit extension point at all for adding our own flow at this point?
Identity tokens
George Fletcher and Praveen Alavilli have mused on how to create "identity tokens" that would represent a particular user online in a generic way. Is this applicable to UMA scenarios in which the authorizing user or the requesting party must be identified? If so, is it useful for us to standardize it in some spec module? See:
...