[Openid-specs-fapi] JARM: Recommended value for lifetime of authorization response JWT
Torsten Lodderstedt
torsten at lodderstedt.net
Mon Sep 24 12:41:58 UTC 2018
Hi Takahiko,
using the same default as for authz codes seems reasonable to me. I will add a recommendation.
kind regards,
Torsten.
> Am 23.09.2018 um 06:16 schrieb Takahiko Kawasaki via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>:
>
> Hi,
>
> Do you have any recommended value for lifetime of authorization response JWT like the authorization code in RFC 6749?
>
> From RFC 6749, 4.1.2. Authorization Response
>
> code
> REQUIRED. The authorization code generated by the
> authorization server. The authorization code MUST expire
> shortly after it is issued to mitigate the risk of leaks. A
> maximum authorization code lifetime of 10 minutes is
> RECOMMENDED. The client MUST NOT use the authorization code
> more than once. If an authorization code is used more than
> once, the authorization server MUST deny the request and SHOULD
> revoke (when possible) all tokens previously issued based on
> that authorization code. The authorization code is bound to
> the client identifier and redirection URI.
>
> If you have, it would be great if it is mentioned in the specification.
>
> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3872 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180924/5e2ab453/attachment.p7s>
More information about the Openid-specs-fapi
mailing list