Hmm. This might become too much work at this stage… Happy for suggestions but I won’t pursue it on my own for now.
EHL From: Aaron Parecki [mailto:aa...@parecki.com] Sent: Monday, January 16, 2012 10:36 PM To: OAuth WG Cc: Richer, Justin P.; wolter.eldering; Eran Hammer Subject: Re: [OAUTH-WG] Access Token Response without expires_in That seems like a good idea, but then it should also be explicitly stated what to do if the server issues non-expiring tokens. aaronpk On Mon, Jan 16, 2012 at 10:29 PM, Eran Hammer <e...@hueniverse.com<mailto:e...@hueniverse.com>> wrote: How do you feel about changing expires_in from OPTIONAL to RECOMMENDED? EHL > -----Original Message----- > From: Richer, Justin P. [mailto:jric...@mitre.org<mailto:jric...@mitre.org>] > Sent: Monday, January 16, 2012 7:29 PM > To: Eran Hammer > Cc: OAuth WG; wolter.eldering > Subject: Re: [OAUTH-WG] Access Token Response without expires_in > > I think #3. > > #1 will be a common instance, and #2 (or its variant, a limited number of > uses) is a different expiration pattern than time that would want to have its > own expiration parameter name. I haven't seen enough concrete use of this > pattern to warrant its own extension though. > > Which is why I vote #3 - it's a configuration issue. Perhaps we should rather > say that the AS "SHOULD document the token behavior in the absence of this > parameter, which may include the token not expiring until explicitly revoked, > expiring after a set number of uses, or other expiration behavior." That's a > lot > of words here though. > > -- Justin > > On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote: > > > A question came up about the access token expiration when expires_in is > not included in the response. This should probably be made clearer in the > spec. The three options are: > > > > 1. Does not expire (but can be revoked) 2. Single use token 3. > > Defaults to whatever the authorization server decides and until > > revoked > > > > #3 is the assumed answer given the WG history. I'll note that in the spec, > but wanted to make sure this is the explicit WG consensus. > > > > EHL > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org<mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
