Some conversations about this issue with large-scale service providers has shown me that synchronization of items at the authorization step is tractable, but it’s synchronization at the resource servers that’s ultimately problematic. As such, using hashes to protect presentation of shared secrets might be the best approach after all.