[Openid-specs-fapi] JARM: Recommended value for lifetime of authorization response JWT

Torsten Lodderstedt torsten at lodderstedt.net
Mon Sep 24 12:41:58 UTC 2018

Hi Takahiko,

using the same default as for authz codes seems reasonable to me. I will add a recommendation. 

kind regards,

> Am 23.09.2018 um 06:16 schrieb Takahiko Kawasaki via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>:
> Hi,
> Do you have any recommended value for lifetime of authorization response JWT like the authorization code in RFC 6749?
> From RFC 6749, 4.1.2. Authorization Response
> code
>      REQUIRED.  The authorization code generated by the
>      authorization server.  The authorization code MUST expire
>      shortly after it is issued to mitigate the risk of leaks.  A
>      maximum authorization code lifetime of 10 minutes is
>      RECOMMENDED.  The client MUST NOT use the authorization code
>      more than once.  If an authorization code is used more than
>      once, the authorization server MUST deny the request and SHOULD
>      revoke (when possible) all tokens previously issued based on
>      that authorization code.  The authorization code is bound to
>      the client identifier and redirection URI.
> If you have, it would be great if it is mentioned in the specification.
> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3872 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180924/5e2ab453/attachment.p7s>

More information about the Openid-specs-fapi mailing list