>From draft 23, section 10.3: The client SHOULD request access tokens with the minimal scope and lifetimenecessary. The authorization server SHOULD take the client identity into account when choosing how to honor the requested scope and lifetime, and MAY issue an access token with a less rights than requested.
I can't find the part in the spec where the client can request access tokens in such a way as to influence the lifetime. Why is the client then being advised in the above section to minimize the lifetime of the access tokens it asks for? -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
