That seems like a good idea, but then it should also be explicitly stated what to do if the server issues non-expiring tokens.
aaronpk On Mon, Jan 16, 2012 at 10:29 PM, Eran Hammer <e...@hueniverse.com> wrote: > How do you feel about changing expires_in from OPTIONAL to RECOMMENDED? > > EHL > > > -----Original Message----- > > From: Richer, Justin P. [mailto:jric...@mitre.org] > > Sent: Monday, January 16, 2012 7:29 PM > > To: Eran Hammer > > Cc: OAuth WG; wolter.eldering > > Subject: Re: [OAUTH-WG] Access Token Response without expires_in > > > > I think #3. > > > > #1 will be a common instance, and #2 (or its variant, a limited number of > > uses) is a different expiration pattern than time that would want to > have its > > own expiration parameter name. I haven't seen enough concrete use of this > > pattern to warrant its own extension though. > > > > Which is why I vote #3 - it's a configuration issue. Perhaps we should > rather > > say that the AS "SHOULD document the token behavior in the absence of > this > > parameter, which may include the token not expiring until explicitly > revoked, > > expiring after a set number of uses, or other expiration behavior." > That's a lot > > of words here though. > > > > -- Justin > > > > On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote: > > > > > A question came up about the access token expiration when expires_in is > > not included in the response. This should probably be made clearer in the > > spec. The three options are: > > > > > > 1. Does not expire (but can be revoked) 2. Single use token 3. > > > Defaults to whatever the authorization server decides and until > > > revoked > > > > > > #3 is the assumed answer given the WG history. I'll note that in the > spec, > > but wanted to make sure this is the explicit WG consensus. > > > > > > EHL > > > > > > > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
