A question came up about the access token expiration when expires_in is not included in the response. This should probably be made clearer in the spec. The three options are:
1. Does not expire (but can be revoked) 2. Single use token 3. Defaults to whatever the authorization server decides and until revoked #3 is the assumed answer given the WG history. I'll note that in the spec, but wanted to make sure this is the explicit WG consensus. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
