IETF Logo Mail Archive

[OAUTH-WG] expires_in

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 18 December 2018 08:55 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 601D91310B8 for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 00:55:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.36
X-Spam-Level:
X-Spam-Status: No, score=-3.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4J0ko5DwpSO for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 00:55:09 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80087.outbound.protection.outlook.com [40.107.8.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1A941310E1 for <oauth@ietf.org>; Tue, 18 Dec 2018 00:55:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wBq79wF+eIXMklVzcpw74kRB3fuI7J3CxKxNi0MnVxc=; b=p5SwlesbUfkscpYuAPEH/fkVuaAKmaQg1/pHz1ZVst9pvXAMhjrbNOPn63KJ48n3ITir7Txh/NTdpA5gPN9SlmiQP7Ov4RK3xI2+vz7RRgbGqRUzcQb6YVcdv3q6tKB5mU9w9bDMneOWfzXGOZ57AP8zrxE/jLNgB+y/nxrGM6Y=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1325.eurprd08.prod.outlook.com (10.167.197.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.20; Tue, 18 Dec 2018 08:55:06 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8%3]) with mapi id 15.20.1425.023; Tue, 18 Dec 2018 08:55:06 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: oauth <oauth@ietf.org>
Thread-Topic: expires_in
Thread-Index: AdSWrkpx8Dh1mpRHTq2oza7vNrUdcA==
Date: Tue, 18 Dec 2018 08:55:06 +0000
Message-ID: <VI1PR0801MB2112D57E9871898418E0BF9EFABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.114.221]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1325; 6:b+VPU3PQVKls5r0olvZbGVuj2YX5yVH+dCYlX0G8oKVRzT9R4A7UDt0aaIM1mxDTJHx8epp6m+NnA7Y/Inahy/xAv5Vj/5l06qGxC9x/ajz3sHSk+P/3ftonVY/O5higeM3ytLrLkgLypBBtNw4gnBBIYc8hbEpjb+fB/mCKLlcmJBkbXBYOl5zCp/10+bqZ10Xz/iHOaPKrDPDdSsBwznDcyZKx408tOm3DMDX/QuWa43qsAGPNVYBuh6p3bs8N7ajPtI9nCrsO5Y6sODuzv3nUIIgU+fZ8T9qkwGzYfdzPUQdQkw3uD+Ql7Yj6hB6p0+zxsHibp5UOyiwuZE4d206v58ZnSIPMsFX+i/s9MGGtJ0q5IpYAHz9Uu2Vfo9pntPii6BYD/i2azLtQS1/M3tp54yWZQCc+aXfisbgRoEEd6A5U/se0sFooSc7TZ9L+iv/ly26vPcRqfYxfIGCXtw==; 5:vvFTHtBroKhr8athd13tR9eIWanaUL5ZRwXiUBDo5C2WZA1/imejqlfocG8IoSJTY6ji2respniTwW4XcRuB9V5csF1izTRgTS9274RCgKi8x/LSyZ0zYUrX1JEwzZyV/QIAdJrNYkJ1FRGEXdu0BvwMouJnrjb1FCoKVCqSuLY=; 7:i/YetPgQk0hxpzNhngMS+gG7m+nzyxCbjD865LRhPR+hY6OMLaksHjMXu5X9ja3nEq9DYjbdfaMGOurKEqht1AK1Gjq2Vqw5bARJS2O7d2XQP6KZT1FiTlOUke43crYVVeu7+yzCH04XztJuCoT0rQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d5f61eaf-b877-42ec-ab6d-08d664c681b3
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1325;
x-ms-traffictypediagnostic: VI1PR0801MB1325:
x-microsoft-antispam-prvs: <VI1PR0801MB13251485A33369D0C7CC8F54FABD0@VI1PR0801MB1325.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(6040522)(2401047)(8121501046)(5005006)(3231475)(944501520)(52105112)(93006095)(93001095)(10201501046)(3002001)(6055026)(148016)(149066)(150057)(6041310)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB1325; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1325;
x-forefront-prvs: 08902E536D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(396003)(346002)(376002)(136003)(189003)(199004)(40434004)(53754006)(6916009)(55016002)(305945005)(74316002)(53936002)(105586002)(14454004)(66066001)(68736007)(5660300001)(8676002)(7116003)(81156014)(7736002)(9686003)(106356001)(81166006)(86362001)(99286004)(8936002)(6436002)(3846002)(316002)(6116002)(33656002)(256004)(5024004)(14444005)(25786009)(7696005)(186003)(478600001)(476003)(71200400001)(26005)(2906002)(486006)(72206003)(6506007)(97736004)(102836004)(71190400001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1325; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Ur6bIEld3Mcob0hAPWW4z/z7mRPdIWZD2w2QUbJ3VeyDfYTy6KPudwqAsO5XZJG6ZHD2DKLBqkrALCrmXnm/rtdA/dGPICRtihNoKB+2CDV7ZFOrWWETz72aRNpfmevV5f5sBJSHCplIj6uT9zfpjW6TajQT+3NwKvvOD71GOnce00/y/UNemLG3seDAw8HmHL01yOs0ujPzN1Ila3vbWyhQbsRZtckkSoDWfn4kjZW9t426d60+uOpTStF2GIPLQM0y5wFurVktS6XCJdCx5h89EXV1qUpdrLguWIrMsVjaiFFk7/hwQd43T8qbzjNO
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d5f61eaf-b877-42ec-ab6d-08d664c681b3
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2018 08:55:06.0591 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1325
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aUZCUhPhppmDpUBAqzihRYT7Sv0>
Subject: [OAUTH-WG] expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 08:55:12 -0000

Hi all,

In a recent email conversation on the IETF ACE mailing list Ludwig Seitz suggested that the expires_in claim in an access token should actually be mandatory.
Intuitively it feels like access tokens shouldn't have an unrestricted lifetime. I am curious whether recommendations would be useful here.

RFC 6819 talks about the expires_in claim and says:

3.1.2.  Limited Access Token Lifetime

   The protocol parameter "expires_in" allows an authorization server
   (based on its policies or on behalf of the end user) to limit the
   lifetime of an access token and to pass this information to the
   client.  This mechanism can be used to issue short-lived tokens to
   OAuth clients that the authorization server deems less secure, or
   where sending tokens over non-secure channels.

draft-ietf-oauth-security-topics-10 only talks about refresh token expiry.

In OpenID Connect the expires_in claim is also optional.

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email