How do you feel about changing expires_in from OPTIONAL to RECOMMENDED? EHL
> -----Original Message----- > From: Richer, Justin P. [mailto:jric...@mitre.org] > Sent: Monday, January 16, 2012 7:29 PM > To: Eran Hammer > Cc: OAuth WG; wolter.eldering > Subject: Re: [OAUTH-WG] Access Token Response without expires_in > > I think #3. > > #1 will be a common instance, and #2 (or its variant, a limited number of > uses) is a different expiration pattern than time that would want to have its > own expiration parameter name. I haven't seen enough concrete use of this > pattern to warrant its own extension though. > > Which is why I vote #3 - it's a configuration issue. Perhaps we should rather > say that the AS "SHOULD document the token behavior in the absence of this > parameter, which may include the token not expiring until explicitly revoked, > expiring after a set number of uses, or other expiration behavior." That's a > lot > of words here though. > > -- Justin > > On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote: > > > A question came up about the access token expiration when expires_in is > not included in the response. This should probably be made clearer in the > spec. The three options are: > > > > 1. Does not expire (but can be revoked) 2. Single use token 3. > > Defaults to whatever the authorization server decides and until > > revoked > > > > #3 is the assumed answer given the WG history. I'll note that in the spec, > but wanted to make sure this is the explicit WG consensus. > > > > EHL > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
