> One of the first things a client is going to do after receiving the > expires_in is calculate the current time plus the offset. The client does not need to do that. The draft oauth-v2-v11 does not specify what client has to do with the parameter expires_in. In fact, it may do nothing. If an access token has expired then the resource server rejects the client's request and the client has to obtain a new access token. Time synchronization is necessary between the authorization and resource servers, but "the methods used by the resource server to validate the access token are beyond the scope" of the draft.
Zachary ________________________________ From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Aaron Parecki Sent: Tuesday, December 14, 2010 6:23 PM To: Paul Walker Cc: OAuth WG Subject: Re: [OAUTH-WG] expires_at vs expires_in Agreed. I like the idea of expires_at as well. One of the first things a client is going to do after receiving the expires_in is calculate the current time plus the offset. Makes sense to eliminate one source of timing errors. On Dec 14, 2010 2:54 PM, "Paul Walker" <pjwal...@gmail.com<mailto:pjwal...@gmail.com>> wrote: > It seems to me that expires_in suffers from the same machine time > synchronization issue and additionally throws in an indeterminable time > amount, while expires_at would only suffer from the former. > > ~pj > > On Dec 14, 2010, at 1:35 PM, Marius Scurtescu wrote: > >> expires_at requires very good time synchronization for all machines involved. >> >> expires_in, while not very exact, is more resilient. >> >> Marius >> >> >> >> On Tue, Dec 14, 2010 at 1:24 PM, Jitesh Bhate >> <jbh...@exacttarget.com<mailto:jbh...@exacttarget.com>> wrote: >>> I have same question, Thanks Paul for Raising this >>> >>> Regards >>> Jitesh >>> >>> -----Original Message----- >>> From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org> >>> [mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] On Behalf Of >>> Paul Walker >>> Sent: Tuesday, December 14, 2010 4:14 PM >>> To: OAuth WG >>> Subject: [OAUTH-WG] expires_at vs expires_in >>> >>> Has there been discussion of using expires_at as an exact epoch time in >>> seconds as opposed to expires_in which is, at best, an approximation "from >>> the time the response was generated by the authorization server?" I >>> apologize if this has been discussed previously. >>> >>> ~pj >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org<mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org<mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org<mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
