...
Interactions between refresh tokens and the claims-required flow
(Assigned to Paul)
Do we have any need or desire to require refresh tokens to be issued in all cases, perhaps due to the positioning of the claims-required request, or is this a matter purely between a requester (client) and AM (authorization server)?Also, how should the claims-required flow be integrated into the OAuth substrate.
Paul recommends that this is a matter purely between these two parties. Recommendation APPROVED on 2010-04-08.
Error messages
We've been asked for input on whether we need new OAuth error messages beyond the HTTP error layer. Do we need a new OAuth error around "claims-required", or an explicit extension point for an UMA error, or no explicit extension point at all for adding our own flow at this point?
...