Hi all, In a recent email conversation on the IETF ACE mailing list Ludwig Seitz suggested that the expires_in claim in an access token should actually be mandatory. Intuitively it feels like access tokens shouldn't have an unrestricted lifetime. I am curious whether recommendations would be useful here.
RFC 6819 talks about the expires_in claim and says: 3.1.2. Limited Access Token Lifetime The protocol parameter "expires_in" allows an authorization server (based on its policies or on behalf of the end user) to limit the lifetime of an access token and to pass this information to the client. This mechanism can be used to issue short-lived tokens to OAuth clients that the authorization server deems less secure, or where sending tokens over non-secure channels. draft-ietf-oauth-security-topics-10 only talks about refresh token expiry. In OpenID Connect the expires_in claim is also optional. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
