[OAUTH-WG] Lifetime of refresh token
Donghwan Kim <flowersinthesand@gmail.com> Mon, 24 August 2015 05:41 UTC
Return-Path: <flowersinthesand@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72F481B2F1B for <oauth@ietfa.amsl.com>; Sun, 23 Aug 2015 22:41:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xjJOoK21t1V for <oauth@ietfa.amsl.com>; Sun, 23 Aug 2015 22:41:35 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9EEE1B2F1A for <oauth@ietf.org>; Sun, 23 Aug 2015 22:41:34 -0700 (PDT)
Received: by igui7 with SMTP id i7so53564327igu.1 for <oauth@ietf.org>; Sun, 23 Aug 2015 22:41:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=96lUHfpfcwWZcuxWNQ5cdKSo//WA7PkyqEHRRWRk1ec=; b=Rg/i9dN8vLbUCQTvJDtohOZzSsIaK9tLM1XAKVaXWj2sQVTlGGk6GUGTDgew+Eg6d0 ve6qDSX8gJfh5MlA3uUbyqzvlGERmHnOvJE64mKT61+qkxKLQY1qHn9vi6d9I0GXdIuc Fp9D8+By5CcwqACzTLmLqXgXrHnCkWUxIkn8LhViaPm1Zvdg2i/SA2nFwEdMre59F5+8 3Nees6oxitqIOzrtPZ6Y9IlTMgb3jumTQBP8gZ1hmn6aoS64f+Ro52BFTDLwm/Fc3uRO mu6zSCaHRoHuDeLkTjpiUZAevzbIsiK4LkkoAOp1aTX6bGZ4q1Ivp6NFPXgjEVP7RSUv Mv0w==
MIME-Version: 1.0
X-Received: by 10.50.164.167 with SMTP id yr7mr12473733igb.50.1440394894226; Sun, 23 Aug 2015 22:41:34 -0700 (PDT)
Received: by 10.36.137.136 with HTTP; Sun, 23 Aug 2015 22:41:34 -0700 (PDT)
Date: Mon, 24 Aug 2015 14:41:34 +0900
Message-ID: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com>
From: Donghwan Kim <flowersinthesand@gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="089e0122a7fc01bbae051e081288"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/zfYv69u4cn4FXOeIx5kAifFvncc>
X-Mailman-Approved-At: Mon, 24 Aug 2015 06:56:50 -0700
Subject: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 05:41:36 -0000
Hi, According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires? I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough. So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token? Thanks, -- Donghwan
- [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Torsten Lodderstedt
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token William Denniss
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Nat Sakimura