missing oauth2:authorize_password/3 with refresh token

[IvanMartinez]

The protocol specification allows to issue a refresh token in the response to a Resource Owner Password Credential Grant:
http://tools.ietf.org/html/rfc6749#section-4.3.3
However the current implementation of oauth2:authorize_password/3 uses issue_token/4, so a refresh token can't be issued. It should be possible to use issue_token_and_refresh/4 when desired.

[bipthelin]

Agree, this should be in there.

[IvanMartinez]

Similar case in oauth2:authorize_code_grant/4, it always issues a refresh token when it is optional in the specification. I see four possible solutions:

• Making two versions of authorize_password and authorize_code_grant. I don't like it because they would be redundant, only different in wether they use issue_token or issue_token_and_refresh.
• Add an extra flag parameter to these functions, to tell them wether they should issue a refresh token or not. This is what I'm currently using but I don't really like it, I don't think it's "elegant".
• Pass issue_token or issue_token_refresh as an argument to authorize_password and authorize_code_grant. I think it's a too fancy and complex solution for a small problem, I don't see the point of so much flexibility if there are just two posibilities.
• Take issue_token and issue_token_and_refresh out of authorize_password and authorize_code_grant, so developers authorize the grant and then explicitly call the function to issue the token. We would have to change every other oauth2 function to be consistent with this new way. This is my favourite, IMHO it makes perfect sense to separate the request verification from the issuing of tokens and codes.

What do you think?.

[bipthelin]

I agree that suggestion 4 is probably the way to go.

[IvanMartinez]

Good, I will work it out and open and PR.

[bipthelin]

Awsome, great work Ivan!

[IvanMartinez]

See PR #25

[bipthelin]

Merged