Re: [OAUTH-WG] Access Token Response without expires_in
"Richer, Justin P." <jricher@mitre.org> Tue, 17 January 2012 03:29 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6820921F85B5 for <oauth@ietfa.amsl.com>; Mon, 16 Jan 2012 19:29:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SoASp03q3Ykn for <oauth@ietfa.amsl.com>; Mon, 16 Jan 2012 19:29:32 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id B6C4E21F85B4 for <oauth@ietf.org>; Mon, 16 Jan 2012 19:29:32 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id F11F221B0C38; Mon, 16 Jan 2012 22:29:26 -0500 (EST)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id DD65121B0BF6; Mon, 16 Jan 2012 22:29:26 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.158]) by IMCCAS02.MITRE.ORG ([129.83.29.79]) with mapi id 14.01.0339.001; Mon, 16 Jan 2012 22:29:26 -0500
From: "Richer, Justin P." <jricher@mitre.org>
To: Eran Hammer <eran@hueniverse.com>
Thread-Topic: [OAUTH-WG] Access Token Response without expires_in
Thread-Index: AczUf8kvUkdgy1nHSGOm5KixWQExDAAclWSA
Date: Tue, 17 Jan 2012 03:29:26 +0000
Message-ID: <E4309A9E-9BC7-4547-918A-224B6233B25C@mitre.org>
References: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.15.27]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9E4671A2B0A14A4885F15A73006E0E55@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "wolter.eldering" <wolter.eldering@enovation.com.cn>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 03:29:33 -0000
I think #3. #1 will be a common instance, and #2 (or its variant, a limited number of uses) is a different expiration pattern than time that would want to have its own expiration parameter name. I haven't seen enough concrete use of this pattern to warrant its own extension though. Which is why I vote #3 - it's a configuration issue. Perhaps we should rather say that the AS "SHOULD document the token behavior in the absence of this parameter, which may include the token not expiring until explicitly revoked, expiring after a set number of uses, or other expiration behavior." That's a lot of words here though. -- Justin On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote: > A question came up about the access token expiration when expires_in is not included in the response. This should probably be made clearer in the spec. The three options are: > > 1. Does not expire (but can be revoked) > 2. Single use token > 3. Defaults to whatever the authorization server decides and until revoked > > #3 is the assumed answer given the WG history. I'll note that in the spec, but wanted to make sure this is the explicit WG consensus. > > EHL > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Access Token Response without expi… Aaron Parecki
- [OAUTH-WG] Access Token Response without expires_… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Aaron Parecki
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Mike Jones
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Mike Jones
- Re: [OAUTH-WG] Access Token Response without expi… John Bradley
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… William Mills
- Re: [OAUTH-WG] Access Token Response without expi… William Mills
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Torsten Lodderstedt
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… William Mills
- Re: [OAUTH-WG] Access Token Response without expi… Torsten Lodderstedt
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Justin Richer