Re: [OAUTH-WG] Short lived access token and no refresh token

CARLIER Bertrand <> Tue, 25 July 2017 16:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3DBFF131D69 for <>; Tue, 25 Jul 2017 09:47:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6ePr9Vykc7jZ for <>; Tue, 25 Jul 2017 09:47:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DD7F7131D7A for <>; Tue, 25 Jul 2017 09:47:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-solucomonline-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=g8K4UDSyIjO4YU729oXRI2Ica2/pDZEjqgmt1FuXW3Q=; b=NEUTJPAHNKCpLzkYuJCd9Z288NC7X3wFS7UPi5qGgK2vxhSNU/UKtAZsMamh+OhQZ24gDsc5P4KF2qh5W9FRU0lGqVgKeB0l4///wYMT55C0UKWOqW0TVwVaS2wG6fIL3Zdr1QDVg3Vvap8Cxt3KR6TNMf2FSKOHFVk/kn0fBIg=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1304.14; Tue, 25 Jul 2017 16:47:19 +0000
Received: from ([fe80::a97f:7499:a6f3:7806]) by ([fe80::a97f:7499:a6f3:7806%13]) with mapi id 15.01.1282.020; Tue, 25 Jul 2017 16:47:19 +0000
From: CARLIER Bertrand <>
To: John Bradley <>, Bill Burke <>
CC: "" <>
Thread-Topic: [OAUTH-WG] Short lived access token and no refresh token
Date: Tue, 25 Jul 2017 16:47:19 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR0301MB2137; 7:U07ELP1vpTfloy6CZSwc9zqc2H42cUSpW/wJeF+94ZFV7pCs3oVDnAA+RgDQvuIsNiTGKjmxMUnly31cfFj7pMdL5HZLNDHn5cLwztSNKss/4WcaP/dRIUJm65aybjzUXbmqSNSzubgn1dFgEu48Ro5nPI2GWZ+RGBu0zkZGPV77HSiNNEz1Fk3RMr+xW2TJ4XX1QYYuOVoYFMB23mhPahEZfxcP4iw2yQ4j9dqqW9efQt1EctN8fJIumEvItKNoSkNg5r+uShj8pPnmiaLpHOAkzKErXMcGcHXFH64azZ7OWY3m5Zubqok/z4ggZILEnAiaRbXM+CpuqrvY1WALK9kVHbkx629O0/42pubjWTM4xwnHIxZNWSXqIx/8QyRJOhddDAVeJ3hIrXULiOyRm466jiDLk/0UhjRwsKo16j4T98eNIxwB4XYKcXDDSuhNds1L1hkO/ZeRPNII5Dom1v44Tp9R9VsIxOk/Z7Ju/DjoOPyOE3w/4DUiA1cjqiSGQgzUkhuDWhA8zxdy/+L2KMa5CYlvHGMeHI4qvRCgIsxS31ZstluL3rg2T3/cD0r3GqmtRMTACZJJCLI68f5xYeV/JRonL4PFFJ9klHA3Orq5kbDCBglxmy9qIGqa23SoN4ZzmjAMq3rfVG2xD3jz4IqKtDm7pb71kVqP64gMrQUcFbgF3q8AoWI3Q/6xqvcOqpu84AXPxuM/FmAwqlqAeKDfktAZwqa/nhSN59XidQqDO3q5UEsBP0/u7hWWWxXmU3+CCUxipNyZ0i6VFYKWXc8tKFjaTepraIpqNPyBoks=
x-ms-office365-filtering-correlation-id: 6ca5a85a-37de-4ac5-57e9-08d4d37cd0aa
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(48565401081)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:HE1PR0301MB2137;
x-ms-traffictypediagnostic: HE1PR0301MB2137:
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155)(21532816269658);
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6055026)(6041248)(20161123562025)(20161123564025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:HE1PR0301MB2137; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:HE1PR0301MB2137;
x-forefront-prvs: 03793408BA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39400400002)(39450400003)(39840400002)(39860400002)(39410400002)(39850400002)(26244003)(24454002)(199003)(189002)(377454003)(53754006)(97736004)(101416001)(189998001)(8676002)(8936002)(68736007)(106356001)(105586002)(33656002)(81166006)(81156014)(55016002)(6436002)(3280700002)(5250100002)(74316002)(3660700001)(9686003)(5890100001)(99286003)(6306002)(54896002)(229853002)(2900100001)(2950100002)(2906002)(6246003)(25786009)(3846002)(6116002)(102836003)(790700001)(53946003)(53936002)(66066001)(236005)(6506006)(4326008)(54356999)(86362001)(50986999)(53546010)(76176999)(5660300001)(7696004)(38730400002)(14454004)(7736002)(606006)(966005)(72206003)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0301MB2137;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR0301MB213884E812F89B529EC5FE5887B80HE1PR0301MB2138_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2017 16:47:19.4281 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5de96c96-c87c-4dce-aad9-f5c557b52ac1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0301MB2137
Archived-At: <>
Subject: Re: [OAUTH-WG] Short lived access token and no refresh token
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Jul 2017 16:47:28 -0000


Depending on what is meant by “scenario to be supported from the authorization server (platform) itself and not in the client app or resource server”, it may be it difficult (or impossible) to achieve.
In the end, the resource server only applies token lifetime policy *if it decides to do so*, whatever the AS kindly asked him to do

Bertrand CARLIER

De : OAuth [] De la part de John Bradley
Envoyé : mardi 25 juillet 2017 18:03
À : Bill Burke <>
Cc :
Objet : Re: [OAUTH-WG] Short lived access token and no refresh token

Max-age has to do with user re-auth in connect.

Some AS only give refresh tokens if a scope of offline_acess or some such special scope is requested.
There is no standard scope for that.

I don’t know of any way for the client to control the lifetime of the access token other than by revoking it with the AS.

Depending on the AS you should be able to control the AT lifetime on a per client basis.

John B.

On Jul 25, 2017, at 11:37 AM, Bill Burke <<>> wrote:

For browser apps, implicit flow provides an access token but no refresh token.  For non-browser apps only client credentials grant doesn't supply a refresh token.  As for token access times, I believe only extensions to OAuth define those types of capabilities.  i.e. OpenID Connect defines a "max-age" claim that you can pass when requesting a token.

On 7/25/17 10:48 AM, Saurav Sarkar wrote:
Hi All,

We have a scenario where one of our stakeholder wants to mandatorily initiate the authentication at certain point of time.

As per
there can be an option where access token is set for certain time and refresh token is not set. So we want to explore this option for this scenario.

I have couple of questions regarding this

(a) Is this  option part of OAuth 2 specification ? If yes can you please point me to the exact IETF link ?

(b) Is there any other way our scenario can be achieved ? We want this scenario to be supported from the authorization server (platform) itself and not in the client app or resource server.

Thanks and Best Regards,


OAuth mailing list<>

OAuth mailing list<>

The information transmitted in the present email including the attachment is intended only for the person to whom or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete all copies of the material.

Ce message et toutes les pièces qui y sont éventuellement jointes sont confidentiels et transmis à l'intention exclusive de son destinataire. Toute modification, édition, utilisation ou diffusion par toute personne ou entité autre que le destinataire est interdite. Si vous avez reçu ce message par erreur, nous vous remercions de nous en informer immédiatement et de le supprimer ainsi que les pièces qui y sont éventuellement jointes.