What to do when the last valid token has expired?

ace-wg / ace-dtls-profile

A DTLS profile for Authentication and Authorization for Constrained Environments

6 stars 5 forks source link

What to do when the last valid token has expired? #12

Closed obgm closed 6 years ago

obgm commented 7 years ago

(Reported bei Jim Schaad):

“no valid access token” covers three cases:

expired access token,
no token (but required for protected resource), and
rogue token.

Tear down DTLS session (= MUST)?
- pro: clear state early
- con: reversing roles?

LudwigSeitz commented 7 years ago

Shouldn't we give the client a chance to POST a new token to /authz-info? Tearing down the DTLS session just because a token has expired seems pretty resource-wasteful to me.

obgm commented 6 years ago

Closed by commit 923fa97.