IETF Logo Mail Archive

Re: [OAUTH-WG] Access Token Response without expires_in

Paul Madsen <paul.madsen@gmail.com> Tue, 17 January 2012 13:23 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D12521F85E4 for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 05:23:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ZX-5JyxKLxM for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 05:23:43 -0800 (PST)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3301A21F85D5 for <oauth@ietf.org>; Tue, 17 Jan 2012 05:23:43 -0800 (PST)
Received: by vcbfk26 with SMTP id fk26so1565255vcb.31 for <oauth@ietf.org>; Tue, 17 Jan 2012 05:23:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=YJ3Hmf6ETJS7nApbM/4ixPNzB/a47yeDxoNZkF39yn8=; b=fimfMEEveT5NZ4EdBkTtg52ISn28MQYSQCR3iKwjMG8CshYZWSoMSkg6xduvmx2trg rVB/eCt1CZer9iEC56qu0or3cT+PBqh0uUglkXNlAIPDdZPmXko+Cm8AIngDeLvXQ7ow 7nZzoPS27zLqo+Lv/FtOHo7zefUZhBtguFym4=
Received: by 10.220.155.212 with SMTP id t20mr9936662vcw.8.1326806622724; Tue, 17 Jan 2012 05:23:42 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id u12sm18294555vde.4.2012.01.17.05.23.38 (version=SSLv3 cipher=OTHER); Tue, 17 Jan 2012 05:23:39 -0800 (PST)
Message-ID: <4F157659.7050701@gmail.com>
Date: Tue, 17 Jan 2012 08:23:37 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: "Richer, Justin P." <jricher@mitre.org>
References: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET> <E4309A9E-9BC7-4547-918A-224B6233B25C@mitre.org>
In-Reply-To: <E4309A9E-9BC7-4547-918A-224B6233B25C@mitre.org>
Content-Type: multipart/alternative; boundary="------------050007080508060000070706"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 13:23:44 -0000

Separate from the question posed here, we are seeing customer demand for 
one-time semantics, but agree with Justin that this would best belong in 
a dedicated extension parameter and not the default

paul

On 1/16/12 10:29 PM, Richer, Justin P. wrote:
> I think #3.
>
> #1 will be a common instance, and #2 (or its variant, a limited number of uses) is a different expiration pattern than time that would want to have its own expiration parameter name. I haven't seen enough concrete use of this pattern to warrant its own extension though.
>
> Which is why I vote #3 - it's a configuration issue. Perhaps we should rather say that the AS "SHOULD document the token behavior in the absence of this parameter, which may include the token not expiring until explicitly revoked, expiring after a set number of uses, or other expiration behavior." That's a lot of words here though.
>
>   -- Justin
>
> On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote:
>
>> A question came up about the access token expiration when expires_in is not included in the response. This should probably be made clearer in the spec. The three options are:
>>
>> 1. Does not expire (but can be revoked)
>> 2. Single use token
>> 3. Defaults to whatever the authorization server decides and until revoked
>>
>> #3 is the assumed answer given the WG history. I'll note that in the spec, but wanted to make sure this is the explicit WG consensus.
>>
>> EHL
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email