Re: [OAUTH-WG] Access Token Response without expires_in

Thu, 19 Jan 2012 09:50:54 -0800

Precisely, and without a strong consensus of use in practice today, getting the semantics right around a new parameter (even if optional) doesn't make sense this late in the game. The information in the token response is easily extensible by other documents, and it should go there if people really want it to go there. 

 -- Justin

On 01/18/2012 08:56 AM, Paul Madsen wrote:

which argues for expressing both explicitly

On 1/17/12 3:58 PM, William Mills wrote:
One use tokens can also expire before they are used. "You have 5 minutes to do this once." 

------------------------------------------------------------------------
*From:* Torsten Lodderstedt [tors...@lodderstedt.net]
*Sent:* Tuesday, January 17, 2012 12:26 PM
*To:* Paul Madsen
*Cc:* oauth-boun...@ietf.org; Richer, Justin P.; OAuth WG
*Subject:* Re: AW: Re: [OAUTH-WG] Access Token Response without expires_in 

Hi Paul,
that's not what I meant. The Client should know which tokens should be one time usage based on the API description. The authz server must not return expires_in because this would not make any sense in this case. 

regards,
Torsten




Paul Madsen <paul.mad...@gmail.com> schrieb:

    Hi Torsten, yes the use case in question is payment-based as well.

    Your suggestion for the client to infer one-time usage from a
    missing expires_in contradicts the general consensus of this
    thread does it not?

    paul

    On 1/17/12 11:38 AM, tors...@lodderstedt.net
    <mailto:tors...@lodderstedt.net> wrote:

    Hi,

    isn't one-time semantics typically associated with certain requests on 
certain resources/resource types. I therefore would assume the client to know 
which tokens to use one-time only. The authz server should not return an 
expires_in paramter. We for example use one time access tokens for payment 
transactions.

    What would such an extension specify?

    regards,
    Torsten.
    Gesendet mit BlackBerry® Webmail von Telekom Deutschland

    -----Original Message-----
    From: Paul Madsen<paul.mad...@gmail.com>  <mailto:paul.mad...@gmail.com>
    Sender:oauth-boun...@ietf.org  <mailto:oauth-boun...@ietf.org>
    Date: Tue, 17 Jan 2012 08:23:37
    To: Richer, Justin P.<jric...@mitre.org>  <mailto:jric...@mitre.org>
    Cc: OAuth WG<oauth@ietf.org>  <mailto:oauth@ietf.org>
    Subject: Re: [OAUTH-WG] Access Token Response without expires_in

    _______________________________________________
    OAuth mailing list
    OAuth@ietf.org  <mailto:OAuth@ietf.org>
    https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to