Open maarten-litmaath opened 8 months ago
Token exchange is a versatile mechanism that should be constrained as much as feasible to avoid potential abuse.
A token-exchange client should have spelled out which exchanges it is allowed to do.
A first question concerns the lifetime of the token obtained through the exchange: is it allowed to be longer than that of the token to be exchanged?
There are arguments to let the remaining lifetime of a given token be an upper bound for the lifetime of any derived token.
In particular, by construction, it prevents the indefinite renewal of tokens through an exchange loop:
It is not clear, however, if such loops are likely to be made possible in actual service deployment and usage scenarios.
There also is an argument in favor of allowing derived tokens to have their own lifetimes, viz. improved security through shorter lifetimes!
Otherwise the original token would need to be given an extra long lifetime just to cover the eventualities of any derived tokens...
Token exchange is a versatile mechanism that should be constrained as much as feasible to avoid potential abuse.
A token-exchange client should have spelled out which exchanges it is allowed to do.
A first question concerns the lifetime of the token obtained through the exchange: is it allowed to be longer than that of the token to be exchanged?
There are arguments to let the remaining lifetime of a given token be an upper bound for the lifetime of any derived token.
In particular, by construction, it prevents the indefinite renewal of tokens through an exchange loop:
It is not clear, however, if such loops are likely to be made possible in actual service deployment and usage scenarios.
There also is an argument in favor of allowing derived tokens to have their own lifetimes, viz. improved security through shorter lifetimes!
Otherwise the original token would need to be given an extra long lifetime just to cover the eventualities of any derived tokens...