On 15/01/16 15:47, Sergey Beryozkin wrote: > Hi John > > Thanks, looks like it was a last minute change because Introduction > does not explain why would clients want to use the introspection > endpoint to effectively 'unwrap' the opaque token representations. > > I have another question. How to report the expiry time in cases when > the tokens do not expire ? I'm aware of some deployments where access > tokens are only manually deleted and otherwise would not expire. > > Perhaps not reporting the expiry time is equivalent to the token never > expiring ? Or may be reporting 0 or -1 works ?
The core OAuth 2.0 spec seems to imply the former: http://tools.ietf.org/html/rfc6749#section-5.1 Using a zero or negative integer may not be a good idea, as clients may just take the value as it is and add it to the current system time, concluding that the token has expired :) Cheers, Vladimir > > Thanks, Sergey > On 15/01/16 13:32, John Bradley wrote: >> Some people wanted the client to be able to use introspection. >> >> The ability to pass a refresh token is a legacy of that. A RS >> would never have a refresh token unless it is acting as a client. >> That is correct. >> >> John B. >> >>> On Jan 15, 2016, at 5:34 AM, Sergey Beryozkin <sberyoz...@gmail.com> >>> wrote: >>> >>> Hi All, >>> >>> I'm reviewing RFC 7622 as we are going ahead with implementing it. >>> I have a question: >>> >>> 1. Token Hint in the introspection request. >>> The spec mentions 'refresh_token' as one of the possible values. But >>> a protected resource does not see a refresh token (ever ?), it is >>> Access Token service which does. >>> When would a protected resource use a 'refresh_token' hint when >>> requesting an introspection response ? >>> >>> Thanks, Sergey >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Vladimir Dzhuvinov
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
