Re: [OAUTH-WG] Access Token Response without expires_in

William Mills <> Tue, 17 January 2012 17:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F32A05E8002 for <>; Tue, 17 Jan 2012 09:00:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.381
X-Spam-Status: No, score=-17.381 tagged_above=-999 required=5 tests=[AWL=0.217, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id T4Px7Pqkt4hH for <>; Tue, 17 Jan 2012 09:00:27 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 26FF05E8001 for <>; Tue, 17 Jan 2012 09:00:27 -0800 (PST)
Received: from [] by with NNFMP; 17 Jan 2012 17:00:21 -0000
Received: from [] by with NNFMP; 17 Jan 2012 17:00:21 -0000
Received: from [] by with NNFMP; 17 Jan 2012 17:00:21 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 3232 invoked by uid 60001); 17 Jan 2012 17:00:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1326819621; bh=C62cGA1p53QwC0bSBR+8KOXcp01kRsviN0mUigZSuB8=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=P40brPAnAp8h/9jBn6EK+x1QFvgc603m3nIBR3AfELrlilxsapOITGvLr50Mj2A2ldMFzgIBb+voP+bGYvosa6jdkqm0jKw8QIveCQQYBn9jdC+r0y5AESNaHwpsWafoV2C2ld0TRKtqh55baarPpDew/7cr2cXMz57shFWn1f0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024;; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=I12AOlV6i5VnhrR3Ct2Yomw2IUI0nIkVhr2t45VEAxnFQHNXA8vWE20bYyuIY/xZMX6mccAUXagzbIfECl41FJTXVHMplCnIg7Myy/TY2+j8NEKSXe9IY9+0fhfCX2ZZa1FYhaJJZn2krFy50RG6vAj2kI8CiE4K1YLqjChubVA=;
X-YMail-OSG: mVOZTYEVM1nEjcwjqno.WASrjeBSp90txi5_pU8gnyp3fjP f_K9B7XtVcSdaDtqRLBl0MNTgPpZeyx_yZv_HUL7fxuqHuFWfYaRTY2h5ajO uOkKQgTFsHkoXp.LD_C5j9w67z_C5nGlIKH4X0IrxLgcogoqkmPZRcZdaNri CO2tjb2aX2d_7lSCD3t9sG8r7UjesSmgGun5s0sQXrKMEfIDVpXe4AknOakN ZAgnsixYyJC1I7tr8nCQR0wFzHeqa_2nQ_aJgU3L93IrwsVaTqAWnQWWKN0T 2_1ehiMJXnrvaosEu3kG33aCBWxkXt6J5P4FWl_65Sdh8ZcKUGD5Va_V0bJS fKEKoHAWswRagBU0qDQoZw_C5SV_UAabHAFMgpEq.cf1c6fWsIpiXs41H0tS RherBgwb.NBJihA--
Received: from [] by via HTTP; Tue, 17 Jan 2012 09:00:20 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/
References: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <>
Message-ID: <>
Date: Tue, 17 Jan 2012 09:00:20 -0800
From: William Mills <>
To: Paul Madsen <>, "Richer, Justin P." <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="835683298-925136788-1326819620=:50670"
Cc: OAuth WG <>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Jan 2012 17:00:28 -0000

Does this require an extension?  That seems something easy to overload on scope.

 From: Paul Madsen <>
To: "Richer, Justin P." <> 
Cc: OAuth WG <> 
Sent: Tuesday, January 17, 2012 5:23 AM
Subject: Re: [OAUTH-WG] Access Token Response without expires_in

Separate from the question posed here, we are seeing customer demand for one-time semantics, but agree with Justin that this would best belong in a dedicated extension parameter and not the default 


On 1/16/12 10:29 PM, Richer, Justin P. wrote: 
I think #3. #1 will be a common instance, and #2 (or its variant, a limited number of uses) is a different expiration pattern than time that would want to have its own expiration parameter name. I haven't seen enough concrete use of this pattern to warrant its own extension though.  Which is why I vote #3 - it's a configuration issue. Perhaps we should rather say that the AS "SHOULD document the token behavior in the absence of this parameter, which may include the token not expiring until explicitly revoked, expiring after a set number of uses, or other expiration behavior." That's a lot of words here though. -- Justin On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote: 
>A question came up about the access token expiration when expires_in is not included in the response. This should probably be made clearer in the spec. The three options are: 1. Does not expire (but can be revoked)
2. Single use token
3. Defaults to whatever the authorization server decides and until revoked #3 is the assumed answer given the WG history. I'll note that in the spec, but wanted to make sure this is the explicit WG consensus. EHL _______________________________________________
OAuth mailing list 
OAuth mailing list 
OAuth mailing list