thanks Torsten, but by the same logic we could say that each RS should
document the lifetime of tokens it will accept and so the AS need not
send expires_in .... - why rely on implicit understanding for one-time
tokens when we dont for those that expire based on time?
I have no particular axe-to-grind here - just hoping for a consensus
best practice for one-time tokens
paul
On 1/17/12 12:26 PM, Torsten Lodderstedt wrote:
Hi Paul,
that's not what I meant. The Client should know which tokens should be
one time usage based on the API description. The authz server must not
return expires_in because this would not make any sense in this case.
regards,
Torsten
Paul Madsen <paul.mad...@gmail.com> schrieb:
Hi Torsten, yes the use case in question is payment-based as well.
Your suggestion for the client to infer one-time usage from a
missing expires_in contradicts the general consensus of this
thread does it not?
paul
On 1/17/12 11:38 AM, tors...@lodderstedt.net wrote:
Hi,
isn't one-time semantics typically associated with certain requests on
certain resources/resource types. I therefore would assume the client to know
which tokens to use one-time only. The authz server should not return an
expires_in paramter. We for example use one time access tokens for payment
transactions.
What would such an extension specify?
regards,
Torsten.
Gesendet mit BlackBerry® Webmail von Telekom Deutschland
-----Original Message-----
From: Paul Madsen<paul.mad...@gmail.com>
Sender:oauth-boun...@ietf.org
Date: Tue, 17 Jan 2012 08:23:37
To: Richer, Justin P.<jric...@mitre.org>
Cc: OAuth WG<oauth@ietf.org>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
