My understanding was that this parameter was advisory to the client - it neither mandated the client discard the token after the expires_in time, nor has a requirement that the token is no longer honored by protected resouces at that point in time (vs earlier or later).
Is there meaning that others assign to this value? The only use I’ve found is to schedule proactive refreshes to hopefully reduce latency by reducing the need to refresh in-line with user requests. -DW > On Dec 18, 2018, at 3:55 AM, Hannes Tschofenig <hannes.tschofe...@arm.com> > wrote: > > Hi all, > > In a recent email conversation on the IETF ACE mailing list Ludwig Seitz > suggested that the expires_in claim in an access token should actually be > mandatory. > Intuitively it feels like access tokens shouldn't have an unrestricted > lifetime. I am curious whether recommendations would be useful here. > > RFC 6819 talks about the expires_in claim and says: > > 3.1.2. Limited Access Token Lifetime > > The protocol parameter "expires_in" allows an authorization server > (based on its policies or on behalf of the end user) to limit the > lifetime of an access token and to pass this information to the > client. This mechanism can be used to issue short-lived tokens to > OAuth clients that the authorization server deems less secure, or > where sending tokens over non-secure channels. > > draft-ietf-oauth-security-topics-10 only talks about refresh token expiry. > > In OpenID Connect the expires_in claim is also optional. > > Ciao > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
