From 02bb01fdf4f2f697813d893066294086c3d608ed Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@daplie.com>
Date: Thu, 16 Mar 2017 17:23:19 -0400
Subject: [PATCH] note the need for limitations on refresh token

---
 oauth3.issuer.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/oauth3.issuer.js b/oauth3.issuer.js
index dfacf07..680044c 100644
--- a/oauth3.issuer.js
+++ b/oauth3.issuer.js
@@ -420,6 +420,17 @@ OAUTH3.authz.redirectWithToken = function (providerUri, session, clientParams, s
     , debug: clientParams.debug
     }).then(function (results) {
 
+      // TODO limit refresh token to an expirable token
+      // TODO inform client not to persist token
+      /*
+      if (clientParams.dnsTxt) {
+        Object.keys(results).forEach(function (key) {
+          if (/refresh/.test(key)) {
+            results[key] = undefined;
+          }
+        });
+      }
+      */
       OAUTH3.url.redirect(clientParams, scopes, results);
     });
   }