Re: [OAUTH-WG] Access Token Response without expires_in

[Eran Hammer <eran@hueniverse.com>]

How do you feel about changing expires_in from OPTIONAL to RECOMMENDED?

EHL

> -----Original Message-----
> From: Richer, Justin P. [mailto:jricher@mitre.org]
> Sent: Monday, January 16, 2012 7:29 PM
> To: Eran Hammer
> Cc: OAuth WG; wolter.eldering
> Subject: Re: [OAUTH-WG] Access Token Response without expires_in
> 
> I think #3.
> 
> #1 will be a common instance, and #2 (or its variant, a limited number of
> uses) is a different expiration pattern than time that would want to have its
> own expiration parameter name. I haven't seen enough concrete use of this
> pattern to warrant its own extension though.
> 
> Which is why I vote #3 - it's a configuration issue. Perhaps we should rather
> say that the AS "SHOULD document the token behavior in the absence of this
> parameter, which may include the token not expiring until explicitly revoked,
> expiring after a set number of uses, or other expiration behavior." That's a lot
> of words here though.
> 
>  -- Justin
> 
> On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote:
> 
> > A question came up about the access token expiration when expires_in is
> not included in the response. This should probably be made clearer in the
> spec. The three options are:
> >
> > 1. Does not expire (but can be revoked) 2. Single use token 3.
> > Defaults to whatever the authorization server decides and until
> > revoked
> >
> > #3 is the assumed answer given the WG history. I'll note that in the spec,
> but wanted to make sure this is the explicit WG consensus.
> >
> > EHL
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth