There is one small issue though, that now is possible to exchange same
code for token multiple times. I am not sure if we already discuss this
and decide that it's "price to pay" to have stateless TokenService.
However OAuth2 specs is not so happy with this (See 4.1.2 and 10.5) .
Did we consider saving codes (or exchanged codes) into DB and have some
periodic task to cleanup them?
On 20.6.2014 16:43, Bill Burke wrote:
Is there anything else that is stateful about the token service?