For browser apps, implicit flow provides an access token but no refresh
token. For non-browser apps only client credentials grant doesn't
supply a refresh token. As for token access times, I believe only
extensions to OAuth define those types of capabilities. i.e. OpenID
Connect defines a "max-age" claim that you can pass when requesting a token.
On 7/25/17 10:48 AM, Saurav Sarkar wrote:
Hi All,
We have a scenario where one of our stakeholder wants to mandatorily
initiate the authentication at certain point of time.
As per
https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/
there can be an option where access token is set for certain time and
refresh token is not set. So we want to explore this option for this
scenario.
I have couple of questions regarding this
(a) Is this option part of OAuth 2 specification ? If yes can you
please point me to the exact IETF link ?
(b) Is there any other way our scenario can be achieved ? We want this
scenario to be supported from the authorization server (platform)
itself and not in the client app or resource server.
Thanks and Best Regards,
Saurav
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
