note the need for limitations on refresh token

oauth3.issuer.js

@@ -420,6 +420,17 @@ OAUTH3.authz.redirectWithToken = function (providerUri, session, clientParams, s
     , debug: clientParams.debug
     }).then(function (results) {
 
+      // TODO limit refresh token to an expirable token
+      // TODO inform client not to persist token
+      /*
+      if (clientParams.dnsTxt) {
+        Object.keys(results).forEach(function (key) {
+          if (/refresh/.test(key)) {
+            results[key] = undefined;
+          }
+        });
+      }
+      */
       OAUTH3.url.redirect(clientParams, scopes, results);
     });
   }