[Openid-specs-ab] Refresh token lifetime?
Joseph Heenan
joseph at authlete.com
Tue Aug 27 12:37:33 UTC 2019
Hi Mischa
There are [at least] 3 different solutions in the wild, all mentioned in https://bitbucket.org/openid/fapi/issues/251/refresh-token-expiry-time
Joseph
> On 27 Aug 2019, at 13:22, Mischa Salle via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
> Hi all,
>
> I was wondering if there is any standard (RFC or OpenID) for conveying
> the lifetime or expiry time of a refresh token?
> The access token response returns an expires_in for the
> access token, following https://tools.ietf.org/html/rfc6749#section-4.2.2
> but there seems to be no standard for returning an expiry time or
> lifetime for the refresh token.
> It would certainly be useful information for a client.
>
> In case there is no standard yet, what would be the right thing to do?
> I would suggest adding another access token response parameter, such as
> rt_expires_in. Alternatively, it could be the expiry time, e.g.
> refresh_token_exp or something like that.
>
> Are there already parties doing something like this?
>
> Mischa
>
> --
> Nikhef Room H155
> Science Park 105 Tel. +31-20-592 5102
> 1098 XG Amsterdam Fax +31-20-592 5155
> The Netherlands Email msalle at nikhef.nl
> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list