Hello -- While implementing PAR, some questions came up around the request_uri, expiration, and one-time use semantics.
1: I found this conversation: https://mailarchive.ietf.org/arch/msg/oauth/Xp5Wyt4N9U6RZZzMd6RctU3koQw/# [https://mailarchive.ietf.org/arch/msg/oauth/Xp5Wyt4N9U6RZZzMd6RctU3koQw/#] And so after reading it, my sense is that the request_uri one-time use semantics is "upon successful authorization response". Is that a fair conclusion? 2: The spec says that a typical range of values for the expiration to be between 5 and 600 seconds. I guess someone with a low value is not expecting the end user to do any sort of interactive login, whereas the higher number is assuming the user does need to perform an interactive login. Is that a fair conclusion? 3: Any suggestions for an error response from the authorize endpoint when an expired or consumed request_uri is passed? As always, many thanks folks! -Brock
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
