Sender-constrained refresh tokens examples improvement

In section 4.3.1, the current text says: 

> Sender-constrained refresh tokens: the authorization server cryptographically binds the refresh token to a certain client instance, e.g., by utilizing DPoP [[RFC9449](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-14.html#RFC9449)] or mTLS [[RFC8705](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-14.html#RFC8705)].


Now, according to RFC 6749 section 10.4 stats: 

> The authorization server MUST NOT issue refresh tokens to clients that cannot protect the confidentiality of client credentials

So, in the case of a confidential client, all refresh tokens are, in fact, sender-constrained. 
I proposed to add this fact to the text. for example, changing e.g. to

e.g., issueing only to a confidential client as in [RFC6749], by utilizing DPoP [[RFC9449](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-14.html#RFC9449)] or mTLS [[RFC8705](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-14.html#RFC8705)].

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sender-constrained refresh tokens examples improvement #232

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Sender-constrained refresh tokens examples improvement #232

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions