expires_in
OPTIONAL. The lifetime in seconds of the access token. For
example, the value
<spanx style='verb'>3600</spanx> denotes that the access token
will expire in one
hour from the time the response was generated. The
authorization server SHOULD
document its default expiration value in case the parameter is
omitted.
EHL
> -----Original Message-----
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Eran Hammer
> Sent: Monday, January 16, 2012 10:53 AM
> To: OAuth WG
> Cc: wolter.eldering
> Subject: [OAUTH-WG] Access Token Response without expires_in
>
> A question came up about the access token expiration when expires_in is
> not included in the response. This should probably be made clearer in the
> spec. The three options are:
>
> 1. Does not expire (but can be revoked)
> 2. Single use token
> 3. Defaults to whatever the authorization server decides and until revoked
>
> #3 is the assumed answer given the WG history. I'll note that in the spec, but
> wanted to make sure this is the explicit WG consensus.
>
> EHL
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
