<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">I think the
      "offline_access" issue is important. Here is how we are planning
      to approach it (whether for OAuth2 or OpenID Connect).<br>
      <br>
      If the "offline_access" scope is not present in the scope list,
      then all access_tokens and refresh_tokens will be tied to the
      lifetime of the authenticate session created by the flow. This
      means that when the user logs out, all access_tokens and
      refresh_tokens are revoked.<br>
      <br>
      if the "offline_access" scope is specified, then the refresh_token
      (and subsequently the access_tokens) are NOT tied to the
      authentication session. They live beyond the current session.
      However, the access_tokens still have a "short" time to live. They
      are not single use. Asking the client to get single use tokens for
      every request is not going to work for many use cases.<br>
      <br>
      When it comes to the actual lifetime of the access_token, I think
      that decision needs to be made by the Authorization Server and
      could change depending on the "risk" of the requested scopes among
      other factors. Since the protocols allow the AS to specify the
      expiry time, it seems like we don't need to specify that in the
      spec.<br>
      <br>
      If we need to document something for interop and conformance, I'd
      prefer to do so at the level of tokens being tied to the
      authentication session or not.<br>
      <br>
      Thanks,<br>
      George<br>
    </font><br>
    On 1/17/12 8:22 PM, John Bradley wrote:
    <blockquote
      cite="mid:78A9327A-E04A-4A83-AFCE-F60370F4E38B@ve7jtb.com"
      type="cite"><base href="x-msg://3996/">I think we should track the
      issue.
      <div><br>
      </div>
      <div>We could easily get different IdP assigning different
        meanings to expires_in=0 etc.</div>
      <div><br>
      </div>
      <div>I don't know what the correct answer is at the moment, but I
        see it as a potential interop problem for clients.</div>
      <div><br>
      </div>
      <div>John <br>
        <div>
          <div>On 2012-01-17, at 7:36 PM, Mike Jones wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite"><span class="Apple-style-span"
              style="border-collapse: separate; font-family: Helvetica;
              font-style: normal; font-variant: normal; font-weight:
              normal; letter-spacing: normal; line-height: normal;
              orphans: 2; text-align: -webkit-auto; text-indent: 0px;
              text-transform: none; white-space: normal; widows: 2;
              word-spacing: 0px; -webkit-border-horizontal-spacing: 0px;
              -webkit-border-vertical-spacing: 0px;
              -webkit-text-decorations-in-effect: none;
              -webkit-text-size-adjust: auto; -webkit-text-stroke-width:
              0px; font-size: medium; ">
              <div bgcolor="white" link="blue" vlink="purple"
                lang="EN-US">
                <div class="WordSection1" style="page: WordSection1; ">
                  <div style="margin-top: 0in; margin-right: 0in;
                    margin-left: 0in; margin-bottom: 0.0001pt;
                    font-size: 12pt; font-family: 'Times New Roman',
                    serif; "><span style="font-size: 11pt; font-family:
                      Calibri, sans-serif; color: rgb(31, 73, 125); ">I
                      don’t see a compelling case for baking token
                      lifetime decisions into the specs at this time. 
                      This seems like an area where we would profitably
                      learn from implementation experiences, once a
                      number of them have been in production and
                      specific issues and choices faced can be
                      identified and described.<o:p></o:p></span></div>
                  <div style="margin-top: 0in; margin-right: 0in;
                    margin-left: 0in; margin-bottom: 0.0001pt;
                    font-size: 12pt; font-family: 'Times New Roman',
                    serif; "><span style="font-size: 11pt; font-family:
                      Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div>
                  <div style="margin-top: 0in; margin-right: 0in;
                    margin-left: 0in; margin-bottom: 0.0001pt;
                    font-size: 12pt; font-family: 'Times New Roman',
                    serif; "><span style="font-size: 11pt; font-family:
                      Calibri, sans-serif; color: rgb(31, 73, 125); ">                                                           
                      -- Mike<o:p></o:p></span></div>
                  <div style="margin-top: 0in; margin-right: 0in;
                    margin-left: 0in; margin-bottom: 0.0001pt;
                    font-size: 12pt; font-family: 'Times New Roman',
                    serif; "><span style="font-size: 11pt; font-family:
                      Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div>
                  <div>
                    <div style="border-right-style: none;
                      border-bottom-style: none; border-left-style:
                      none; border-width: initial; border-color:
                      initial; border-top-style: solid;
                      border-top-color: rgb(181, 196, 223);
                      border-top-width: 1pt; padding-top: 3pt;
                      padding-right: 0in; padding-bottom: 0in;
                      padding-left: 0in; ">
                      <div style="margin-top: 0in; margin-right: 0in;
                        margin-left: 0in; margin-bottom: 0.0001pt;
                        font-size: 12pt; font-family: 'Times New Roman',
                        serif; "><b><span style="font-size: 10pt;
                            font-family: Tahoma, sans-serif; ">From:</span></b><span
                          style="font-size: 10pt; font-family: Tahoma,
                          sans-serif; "><span
                            class="Apple-converted-space"> </span><a
                            moz-do-not-send="true"
                            href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]<span
                            class="Apple-converted-space"> </span><b>On
                            Behalf Of<span class="Apple-converted-space"> </span></b>Nat
                          Sakimura<br>
                          <b>Sent:</b><span
                            class="Apple-converted-space"> </span>Tuesday,
                          January 17, 2012 2:10 PM<br>
                          <b>To:</b><span class="Apple-converted-space"> </span>John
                          Bradley<br>
                          <b>Cc:</b><span class="Apple-converted-space"> </span><a
                            moz-do-not-send="true"
                            href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
                          <b>Subject:</b><span
                            class="Apple-converted-space"> </span>Re:
                          [Openid-specs-ab] Potential tickets to file<o:p></o:p></span></div>
                    </div>
                  </div>
                  <div style="margin-top: 0in; margin-right: 0in;
                    margin-left: 0in; margin-bottom: 0.0001pt;
                    font-size: 12pt; font-family: 'Times New Roman',
                    serif; "><o:p> </o:p></div>
                  <div>
                    <div style="margin-top: 0in; margin-right: 0in;
                      margin-left: 0in; margin-bottom: 0.0001pt;
                      font-size: 12pt; font-family: 'Times New Roman',
                      serif; ">Good point. <o:p></o:p></div>
                  </div>
                  <div>
                    <div style="margin-top: 0in; margin-right: 0in;
                      margin-left: 0in; margin-bottom: 0.0001pt;
                      font-size: 12pt; font-family: 'Times New Roman',
                      serif; "><o:p> </o:p></div>
                  </div>
                  <div>
                    <div style="margin-top: 0in; margin-right: 0in;
                      margin-left: 0in; margin-bottom: 0.0001pt;
                      font-size: 12pt; font-family: 'Times New Roman',
                      serif; ">In addition, sometimes it is useful to
                      have a token that survives password change as
                      well. E.g., the token for email clients while
                      using OTP on the web side. <span
                        class="apple-style-span"> </span><o:p></o:p></div>
                  </div>
                  <div>
                    <div style="margin-top: 0in; margin-right: 0in;
                      margin-left: 0in; margin-bottom: 0.0001pt;
                      font-size: 12pt; font-family: 'Times New Roman',
                      serif; "><br>
                      Nat Sakimura<o:p></o:p></div>
                  </div>
                  <div>
                    <p class="MsoNormal" style="margin-top: 0in;
                      margin-right: 0in; margin-left: 0in;
                      margin-bottom: 12pt; font-size: 12pt; font-family:
                      'Times New Roman', serif; "><br>
                      On 2012/01/18, at 4:53, John Bradley <<a
                        moz-do-not-send="true"
                        href="mailto:ve7jtb@ve7jtb.com" style="color:
                        blue; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>>
                      wrote:<o:p></o:p></p>
                  </div>
                  <blockquote style="margin-top: 5pt; margin-bottom:
                    5pt; ">
                    <div>
                      <div style="margin-top: 0in; margin-right: 0in;
                        margin-left: 0in; margin-bottom: 0.0001pt;
                        font-size: 12pt; font-family: 'Times New Roman',
                        serif; ">Do we need a standard scope for
                        requesting offline access (long-lived access
                        token)?<o:p></o:p></div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; ">Some IdP use a scope for
                          offline_access.<o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 10.5pt; font-family:
                              Arial, sans-serif; ">Enables your
                              application to perform authorized requests
                              on behalf of the user at any time. By
                              default, most access tokens expire after a
                              short time period to ensure applications
                              only make requests on behalf of the user
                              when the are actively using the
                              application. This permission makes the
                              access token returned by our OAuth
                              endpoint long-lived.</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 10.5pt; font-family:
                              Arial, sans-serif; ">What is the default
                              openID Connect access token lifetime
                              without such a scope?</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 10.5pt; font-family:
                              Arial, sans-serif; ">Single use? 30min?
                              Session duration?</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 13.5pt; font-family:
                              Arial, sans-serif; ">There are also some
                              undefined states in OAuth 2.0 with
                              expires_in.</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 13.5pt; font-family:
                              Arial, sans-serif; ">I would propose that
                              openID connect access tokens are single
                              use by default.  </span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 13.5pt; font-family:
                              Arial, sans-serif; ">A server not sending
                              expires_in is indicating default expiry
                              behavior.</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 13.5pt; font-family:
                              Arial, sans-serif; ">A server may make
                              them longer lived by indicating that with
                              expires_in.</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 13.5pt; font-family:
                              Arial, sans-serif; ">A value of 0 for
                              expires_in indicates the token will not
                              expire due to time, though it may due to
                              password reset or users revoking access.</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 13.5pt; font-family:
                              Arial, sans-serif; ">Facebook seems to use
                              the 0 value but I can't find it documented
                              anyplace.</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 13.5pt; font-family:
                              Arial, sans-serif; ">If we go with single
                              use the client can always get another
                              token,  and the client doesn't need to
                              worry about storing access tokens in the
                              simple case. </span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 13.5pt; font-family:
                              Arial, sans-serif; ">It will help  if we
                              can<span class="Apple-converted-space"> </span></span></span><span
                            class="apple-style-span"><span
                              style="font-size: 18pt; font-family:
                              Arial, sans-serif; ">interop make this
                              consistent across IdP.</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><span
                            class="apple-style-span"><span
                              style="font-size: 18pt; font-family:
                              Arial, sans-serif; ">John</span></span><o:p></o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                      <div>
                        <div style="margin-top: 0in; margin-right: 0in;
                          margin-left: 0in; margin-bottom: 0.0001pt;
                          font-size: 12pt; font-family: 'Times New
                          Roman', serif; "><o:p> </o:p></div>
                      </div>
                    </div>
                  </blockquote>
                  <blockquote style="margin-top: 5pt; margin-bottom:
                    5pt; ">
                    <div>
                      <div style="margin-top: 0in; margin-right: 0in;
                        margin-left: 0in; margin-bottom: 0.0001pt;
                        font-size: 12pt; font-family: 'Times New Roman',
                        serif; ">_______________________________________________<br>
                        Openid-specs-ab mailing list<br>
                        <a moz-do-not-send="true"
                          href="mailto:Openid-specs-ab@lists.openid.net"
                          style="color: blue; text-decoration:
                          underline; ">Openid-specs-ab@lists.openid.net</a><br>
                        <a moz-do-not-send="true"
                          href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
                          style="color: blue; text-decoration:
                          underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div>
                    </div>
                  </blockquote>
                </div>
              </div>
            </span></blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>