[Openid-specs-fapi] Issue #52: Access Token / Refresh Token description not required? (openid/fapi)

Nat Sakimura nat at sakimura.org
Thu Dec 8 14:05:46 UTC 2016

Yes and no. While it probably is better to refer to the OIDC for token 
lifetime constraints, the TokenLifetime section in OpenID Connect Core 
does not talk about

- the implication of the bearer token
- the implication of the token being used against multiple resources

These builds up to bring in the notion of Holder of key token and 
resource audience constrained token respectively in Part 2. So, I would 
argue to keep the section and those descriptions here while we should 
refer to OIDC core for the recommendation on the token lifetime itself.

Nat Sakimura
Chairman, OpenID Foundation

On 2016-12-08 22:42, Dave Tonge via Openid-specs-fapi wrote:
> New issue 52: Access Token / Refresh Token description not required?
> https://bitbucket.org/openid/fapi/issues/52/access-token-refresh-token-description-not
> Dave Tonge:
> https://bitbucket.org/openid/fapi/annotate/d4edc14c0b76155c97623edb521bfdc56afd64b7/Financial_API_WD_001.md?at=master&fileviewer=file-view-default#Financial_API_WD_001.md-342
> This paragraph seems unneeded - or at the very least should refer to:
> http://openid.net/specs/openid-connect-core-1_0.html#TokenLifetime
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list