[Openid-specs-fapi] JARM: Recommended value for lifetime of authorization response JWT

Takahiko Kawasaki taka at authlete.com
Sun Sep 23 04:16:25 UTC 2018


Do you have any recommended value for lifetime of authorization response
JWT like the authorization code in RFC 6749?

>From RFC 6749, 4.1.2. Authorization Response


     REQUIRED.  The authorization code generated by the

     authorization server.  The authorization code MUST expire

     shortly after it is issued to mitigate the risk of leaks.  *A*

*     maximum authorization code lifetime of 10 minutes is*

*     RECOMMENDED.*  The client MUST NOT use the authorization code

     more than once.  If an authorization code is used more than

     once, the authorization server MUST deny the request and SHOULD

     revoke (when possible) all tokens previously issued based on

     that authorization code.  The authorization code is bound to

     the client identifier and redirection URI.

If you have, it would be great if it is mentioned in the specification.

Best Regards,
Takahiko Kawasaki
Authlete, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180923/5e90a1ae/attachment.html>

More information about the Openid-specs-fapi mailing list