On Thu, Apr 1, 2010 at 12:31 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > > On 4/1/10 11:37 AM, "Marius Scurtescu" <mscurte...@google.com> wrote: > >> SAML assertions contain the expiry inside, the OAuth "expires" >> parameter would be redundant, maybe this is way it is optional? > > The token expiration doesn't have to be the same as the assertion.
Yep, sorry, I got mixed up. >> But, do we want to make this parameter required in general? Why not >> leave it optional for all flows? What if an Authorization Server >> implements some other mechanism to expire them (number of uses for >> example) and a fixed expiry time does not make sense? > > The expiration parameter should be optional everywhere. If it is not, its > because I didn't get to it (or messed up). Sounds great. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
