On 18/12/2018 17:06, Aaron Parecki wrote:
The "exp" claim is an implementation detail of one type of access token,
but obviously doesn't have any meaning to someone using non-JWT tokens.
Since not everyone is using JWT access tokens, it seems strange to have
a mention of a JWT-specific detail.
That said, it sounds like the proposal is to recommend access tokens
always have an expiration date? In that case, is it also important that
the expiration date be communicated to the client?
The original context was from the ACE WG. In ACE we use pop-tokens
exclusively and it is important in some usecases that the client no
longer uses the pop-key material when the token has expired.
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
