Hi
Access tokens (particularly JWT-based) may have a not before property
set - for example, a token introspection response may report an 'nbf'
property.
How can a client react to the error related to using the access token
too early ?
Typically a client would attempt to refresh a token if it has been
rejected by RS, but in the case of NBF related errors it can become a
cycle - refresh - get a new token - try it, too early, repeat...
I think for RS reporting 503 with Retry-After, instead of 400/401, would
be the right way to handle NBF errors.
Thanks, Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
