*if it
> decides to do so*, whatever the AS kindly asked him to do
>
> --
> Bertrand CARLIER
>
>
> De : OAuth [mailto:oauth-boun...@ietf.org] De la part de John Bradley
> Envoyé : mardi 25 juillet 2017 18:03
> À : Bill Burke
> Cc : oauth@ietf.org
> Objet :
do so*, whatever the AS kindly asked him to do
--
Bertrand CARLIER
De : OAuth [mailto:oauth-boun...@ietf.org] De la part de John Bradley
Envoyé : mardi 25 juillet 2017 18:03
À : Bill Burke
Cc : oauth@ietf.org
Objet : Re: [OAUTH-WG] Short lived access token and no refresh token
Max-age has to do
Max-age has to do with user re-auth in connect.
Some AS only give refresh tokens if a scope of offline_acess or some such
special scope is requested.
There is no standard scope for that.
I don’t know of any way for the client to control the lifetime of the access
token other than by revoking it
For browser apps, implicit flow provides an access token but no refresh
token. For non-browser apps only client credentials grant doesn't
supply a refresh token. As for token access times, I believe only
extensions to OAuth define those types of capabilities. i.e. OpenID
Connect defines a "m
Hi All,
We have a scenario where one of our stakeholder wants to mandatorily
initiate the authentication at certain point of time.
As per
https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/
there can be an option where access token is set for certain time and
refresh token i
