Closed dshanske closed 2 years ago
Proposed language of amendment.
expires_in
property documented in OAuth 2.0 [RFC6749] Section 5.1 SHOULD be returned.expiration
(optional) - Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire. The absence is this property indicates this is a non-expiring token.refresh_token
(optional) - a token which can be used to obtain new access tokens using the same authorization grant as outlined in Section 5.5.
- 6.2 add in notation of -
expiration
(optional) - Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire. The absence is this property indicates this is a non-expiring token.
Don't you mean expires_at
(not expiration
) which is the absolute (epoch time) version of the relative expires_in
(seconds)?
Section 5.3.3 (Access Token Response) would be the best place to add the references to the expires_in
and refresh_token
properties.
We should add a new section (possibly 5.5) talking about refreshing access tokens.
See also #89.
The token introspection response should be discussed as part of adopting RFC7662 #33
Don't you mean
expires_at
(notexpiration
) which is the absolute (epoch time) version of the relativeexpires_in
(seconds)?
expires_at
isn't a thing really. OAuth has expires_in
for the access token response, and exp
in the token introspection response.
That's what I read. So we need expires_in. I'd like an absolute time, but I'll convert.
Wrote #90, a rough draft adding in the response parameters and adding a section summarizing Refresh Tokens.
This has been merged now.
Proposing the adoption of refresh tokens and expiration as recommended but not mandatory into the spec.
Simply speaking, the token would return when issued an expires_in parameter, and when verified an exp parameter to indicate the timestamp of expiry, adopting the parameter from the token introspection endpoint spec.
Refresh tokens, again, would be optional, and dictated per appropriate OAuth2 prior art.