[Openid-specs-ab] Potential tickets to file

Nat Sakimura sakimura at gmail.com
Tue Jan 17 22:09:33 UTC 2012

Good point.

In addition, sometimes it is useful to have a token that survives password
change as well. E.g., the token for email clients while using OTP on the
web side.

Nat Sakimura

On 2012/01/18, at 4:53, John Bradley <ve7jtb at ve7jtb.com> wrote:

Do we need a standard scope for requesting offline access (long-lived
access token)?

Some IdP use a scope for offline_access.

Enables your application to perform authorized requests on behalf of the
user at any time. By default, most access tokens expire after a short time
period to ensure applications only make requests on behalf of the user when
the are actively using the application. This permission makes the access
token returned by our OAuth endpoint long-lived.

What is the default openID Connect access token lifetime without such a

Single use? 30min? Session duration?

There are also some undefined states in OAuth 2.0 with expires_in.

I would propose that openID connect access tokens are single use by

A server not sending expires_in is indicating default expiry behavior.

A server may make them longer lived by indicating that with expires_in.

A value of 0 for expires_in indicates the token will not expire due to
time, though it may due to password reset or users revoking access.

Facebook seems to use the 0 value but I can't find it documented anyplace.

If we go with single use the client can always get another token,  and the
client doesn't need to worry about storing access tokens in the simple

It will help  if we can interop make this consistent across IdP.


Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120118/96b37eca/attachment-0001.html>

More information about the Openid-specs-ab mailing list