[OAUTH-WG] Re: review of draft-ietf-oauth-refresh-token-expiration-00.txt
Nick Watson <nwatson@google.com> Sat, 10 January 2026 00:48 UTC
Return-Path: <nwatson@google.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 41635A5A2E77 for <oauth@mail2.ietf.org>; Fri, 9 Jan 2026 16:48:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eSkJ1cMDoAsI for <oauth@mail2.ietf.org>; Fri, 9 Jan 2026 16:48:29 -0800 (PST)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A460EA5A2E70 for <oauth@ietf.org>; Fri, 9 Jan 2026 16:48:29 -0800 (PST)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-b832c65124cso791256466b.0 for <oauth@ietf.org>; Fri, 09 Jan 2026 16:48:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1768006109; x=1768610909; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=q2bGu0lw7FVfThfs4NYPym3pJU4oxEGdtKvmZw8SgIY=; b=M4S2mNUcXfeFNgepWDWsxq+WyrsD+2xLMb5DgjakSC6pZkWmM9Mkp9gm3LSGRQEz2c BvpY4cVAFtn3Ql3Xhi3b8IT5FKheKr297moVLo0FaGyUZ8wJRWHJSDblRCKRZEGk5LDF krFeICq/6dQJiMUtWMlqToHGidy7K9LOotHKCvnhyqa06FEBy0CUSkdk+aKCTBRiVydT AMmwp0jFb4yVIuOOTch6bGU4adFFEYxsGPHlnobxqcR5NkTId59roaGWnIy2+9NUHNsc Wb9wDSA+rawYmo91Yad8hqdNT4BdGQuhxOd9p43LiFY3UgSo/vO/W/EUwMylH9+YoEC5 zRRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768006109; x=1768610909; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=q2bGu0lw7FVfThfs4NYPym3pJU4oxEGdtKvmZw8SgIY=; b=q/WA2dZRDER11vxxWImC1MBfEe+SfeXNVbWhmXEOjUagwmSbOnGqiMh/RN2kXKBhBW +VkjKVHC7JfoyzKUqeYZGhZjknoYo+Qx8j7svf2ksXgec6KtFu76Fgjyg6zbtAZt5N57 x/cbeRozGRhNiwy9x6bBcpu6rIfOtPDIUwHmps1zX39vdymNWgnndBg1tC4J8xLb2q1Z yLSK9h7EKNs/jusQbvwBtZMRduqDJUyOGgWPjZci9F6ZpaC9Qk0taTWY+JClksSgZmjc rqXD616qCQA6Vw3WW5JshYWajQ4RGo4rjpDEPmoU5PEheYaTA7ZE0Ay3zw1dQ2vvirkr INQA==
X-Gm-Message-State: AOJu0Yyw6ghgQHJlLyfXoa2mQGIqtduUGnITACZ9FP7RUxq7tl042Lkr u07K5i2Utt26Tm3P0y0h5k0ElZwaryWyJ5Oho65VVXXPqKvIpuYIBRL+6WDhi8Xm68uLsDsPMAv ktaKVXyPrHd/5xIomlwvcrEMdBqz5JtYK6yF6iMp8GHXkV+FLzgMQQymqyNo=
X-Gm-Gg: AY/fxX4lwWco7dzDYTVWMHBxD6gFLQTX3/oFoEBWXnchzh/Egnh2SB7AMQAZI/KXEo8 efIHn6W9xQ2X5d8utj6Ggi3ilu45bTCEkY4XvRbXTfJ7HbZwBdNIuGu5jSPWjFUi3O6NunBoFtg HXBEqyNllKsOI3G5jykINKh3t4fqw1mKKYZntsO02MsCuuS4//LJEtQZ3RVnR2DWWPHfQJW8bvw L36Fd1VyLqSl2PxRg1MEwdn4ewN9/XrgqsLdxBluXblfUvRtbuAdI0gaeYg/ZXAzXGbaLDFqxlc Yd8zi350id3SiXZyWfs3bWQdJHm98zrJi7pxQMzbgw==
X-Google-Smtp-Source: AGHT+IFQnIuzFiHa2iB0t2pI8bRA2sXlArTDgnMEk7t8BEwjnxvCW8dwMKk0vvPfqrpiJ5MNiRlhD5xpL0eSbT92ezk=
X-Received: by 2002:a17:907:3d94:b0:b74:9862:3e36 with SMTP id a640c23a62f3a-b8444fd4a61mr1170862866b.51.1768006107789; Fri, 09 Jan 2026 16:48:27 -0800 (PST)
MIME-Version: 1.0
References: <CAKUhyqGa_zNYTAw1jmD2v9PLcFCkS_2LWeR7CARH7VoRKAdfTw@mail.gmail.com>
In-Reply-To: <CAKUhyqGa_zNYTAw1jmD2v9PLcFCkS_2LWeR7CARH7VoRKAdfTw@mail.gmail.com>
From: Nick Watson <nwatson@google.com>
Date: Fri, 09 Jan 2026 16:48:16 -0800
X-Gm-Features: AQt7F2q_ngkYoQccCERUOWl_8-xfLWVpZbDYeRqQF_mpRiIPFcfXOBC-pV3-kAk
Message-ID: <CALZ8nCt6C5KwHBPfYh54fcgqSXN_yW3wLpwtvyG5kSyPri9RLA@mail.gmail.com>
To: Dan Moore <dan=40fusionauth.io@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000049d3d0647fe004d"
Message-ID-Hash: HLJBOHR5YSLRBXZAHRDJATFFCSV337YH
X-Message-ID-Hash: HLJBOHR5YSLRBXZAHRDJATFFCSV337YH
X-MailFrom: nwatson@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: review of draft-ietf-oauth-refresh-token-expiration-00.txt
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kZlybGw2Jmid7JGTEfaCBEeFShM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Dan, thanks for the review! You're correct it hasn't changed between adoption. Comments in line. I will likely incorporate your suggestions and George's next week, and then update the list. On Thu, Jan 8, 2026 at 4:41 PM Dan Moore <dan=40fusionauth.io@dmarc.ietf.org> wrote: > Hi folks, > > Reviewed this draft when it was > https://datatracker.ietf.org/doc/draft-watson-oauth-refresh-token-expiration/ > but my understanding is that nothing changed between the documents. > > Comments. > > Section 6.1: > > "If finite, the authorization server" > > ... is that another way of saying this RFC is optional? > Well all RFCs are optional I guess. :) But "if finite" means that even spec implementers can still have tokens without expiration. They're only obligated to return a value if the refresh token expires. > > how do you typically say "if this rfc is implemented?" > > Section 6.1.2 > > I find the term "Infinite Expiration" a bit confusing. Maybe Non-Expiring, > Indefinite or Perpetual would be clearer? > I like "indefinite" as it goes nicely with the concept of manual user revocation – indefinite but can still be invalidated through other means. I'll update the wording similarly to your suggestion. > > So the section title could be changed to "Indefinite Expiration" > > and > > omitted response fields could indicate > either indefinite validity or simply lack of support for this > specification. However, infinite expiration and lack of information > about expiration should be handled by the client in the same way. > That is to say, the client must always handle refresh token > invalidation not caused by expiration, such as by explicit user > revocation. > > becomes > omitted response fields could indicate > either perpetual refresh token validity or simply lack of support for > this > specification. However, lack of expiration and lack of information > about expiration should be handled by the client in the same way. > That is to say, the client must always handle refresh token > invalidation not caused by expiration, such as by explicit user > revocation. > > Section 6.3 > > Would it be more precise to change "An exchange" to "A refresh token > grant" throughout the examples? > Maybe I can just use "a refresh"? "Refresh token grant" always sounds odd to me as my ear hears it more like "granting a refresh token". Maybe others have thoughts here? > > What if a refresh token has expired but we are within the authorization > window? That might be a good example to add. > Will do. It must be rejected by the AS if presented. > > Section 7 > > I didn't understand refresh_token_expiration_types_supported and the > different types of expiration offered. What is the difference between > expiration of type "credential" vs type "authorization"? > Definitely open to better names here, but those correspond to support for the refresh_token_timeout and authorization_expires_in parameters, respectively. > > What did I miss? > > Section 9 > > I see [OAuth 2.1 Sec 4.3.1] referenced, but it is not in the Normative > references section. > > Or would it be better to point to the published BCP 9700 instead of the > unpublished OAuth2.1 draft? > https://www.rfc-editor.org/rfc/rfc9700.html#refresh_token_protection > talks about refresh token rotation (4.14.2). > I'll point to 9700 until such time as 2.1 is published. > > Thanks, > Dan > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >