<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">I think the
"offline_access" issue is important. Here is how we are planning
to approach it (whether for OAuth2 or OpenID Connect).<br>
<br>
If the "offline_access" scope is not present in the scope list,
then all access_tokens and refresh_tokens will be tied to the
lifetime of the authenticate session created by the flow. This
means that when the user logs out, all access_tokens and
refresh_tokens are revoked.<br>
<br>
if the "offline_access" scope is specified, then the refresh_token
(and subsequently the access_tokens) are NOT tied to the
authentication session. They live beyond the current session.
However, the access_tokens still have a "short" time to live. They
are not single use. Asking the client to get single use tokens for
every request is not going to work for many use cases.<br>
<br>
When it comes to the actual lifetime of the access_token, I think
that decision needs to be made by the Authorization Server and
could change depending on the "risk" of the requested scopes among
other factors. Since the protocols allow the AS to specify the
expiry time, it seems like we don't need to specify that in the
spec.<br>
<br>
If we need to document something for interop and conformance, I'd
prefer to do so at the level of tokens being tied to the
authentication session or not.<br>
<br>
Thanks,<br>
George<br>
</font><br>
On 1/17/12 8:22 PM, John Bradley wrote:
<blockquote
cite="mid:78A9327A-E04A-4A83-AFCE-F60370F4E38B@ve7jtb.com"
type="cite"><base href="x-msg://3996/">I think we should track the
issue.
<div><br>
</div>
<div>We could easily get different IdP assigning different
meanings to expires_in=0 etc.</div>
<div><br>
</div>
<div>I don't know what the correct answer is at the moment, but I
see it as a potential interop problem for clients.</div>
<div><br>
</div>
<div>John <br>
<div>
<div>On 2012-01-17, at 7:36 PM, Mike Jones wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite"><span class="Apple-style-span"
style="border-collapse: separate; font-family: Helvetica;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: 2; text-align: -webkit-auto; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; font-size: medium; ">
<div bgcolor="white" link="blue" vlink="purple"
lang="EN-US">
<div class="WordSection1" style="page: WordSection1; ">
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; "><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73, 125); ">I
don’t see a compelling case for baking token
lifetime decisions into the specs at this time.
This seems like an area where we would profitably
learn from implementation experiences, once a
number of them have been in production and
specific issues and choices faced can be
identified and described.<o:p></o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; "><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; "><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73, 125); ">
-- Mike<o:p></o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; "><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div>
<div>
<div style="border-right-style: none;
border-bottom-style: none; border-left-style:
none; border-width: initial; border-color:
initial; border-top-style: solid;
border-top-color: rgb(181, 196, 223);
border-top-width: 1pt; padding-top: 3pt;
padding-right: 0in; padding-bottom: 0in;
padding-left: 0in; ">
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; "><b><span style="font-size: 10pt;
font-family: Tahoma, sans-serif; ">From:</span></b><span
style="font-size: 10pt; font-family: Tahoma,
sans-serif; "><span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]<span
class="Apple-converted-space"> </span><b>On
Behalf Of<span class="Apple-converted-space"> </span></b>Nat
Sakimura<br>
<b>Sent:</b><span
class="Apple-converted-space"> </span>Tuesday,
January 17, 2012 2:10 PM<br>
<b>To:</b><span class="Apple-converted-space"> </span>John
Bradley<br>
<b>Cc:</b><span class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b><span
class="Apple-converted-space"> </span>Re:
[Openid-specs-ab] Potential tickets to file<o:p></o:p></span></div>
</div>
</div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; "><o:p> </o:p></div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; ">Good point. <o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; ">In addition, sometimes it is useful to
have a token that survives password change as
well. E.g., the token for email clients while
using OTP on the web side. <span
class="apple-style-span"> </span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; "><br>
Nat Sakimura<o:p></o:p></div>
</div>
<div>
<p class="MsoNormal" style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 12pt; font-size: 12pt; font-family:
'Times New Roman', serif; "><br>
On 2012/01/18, at 4:53, John Bradley <<a
moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" style="color:
blue; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top: 5pt; margin-bottom:
5pt; ">
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; ">Do we need a standard scope for
requesting offline access (long-lived access
token)?<o:p></o:p></div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; ">Some IdP use a scope for
offline_access.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 10.5pt; font-family:
Arial, sans-serif; ">Enables your
application to perform authorized requests
on behalf of the user at any time. By
default, most access tokens expire after a
short time period to ensure applications
only make requests on behalf of the user
when the are actively using the
application. This permission makes the
access token returned by our OAuth
endpoint long-lived.</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 10.5pt; font-family:
Arial, sans-serif; ">What is the default
openID Connect access token lifetime
without such a scope?</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 10.5pt; font-family:
Arial, sans-serif; ">Single use? 30min?
Session duration?</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 13.5pt; font-family:
Arial, sans-serif; ">There are also some
undefined states in OAuth 2.0 with
expires_in.</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 13.5pt; font-family:
Arial, sans-serif; ">I would propose that
openID connect access tokens are single
use by default. </span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 13.5pt; font-family:
Arial, sans-serif; ">A server not sending
expires_in is indicating default expiry
behavior.</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 13.5pt; font-family:
Arial, sans-serif; ">A server may make
them longer lived by indicating that with
expires_in.</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 13.5pt; font-family:
Arial, sans-serif; ">A value of 0 for
expires_in indicates the token will not
expire due to time, though it may due to
password reset or users revoking access.</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 13.5pt; font-family:
Arial, sans-serif; ">Facebook seems to use
the 0 value but I can't find it documented
anyplace.</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 13.5pt; font-family:
Arial, sans-serif; ">If we go with single
use the client can always get another
token, and the client doesn't need to
worry about storing access tokens in the
simple case. </span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 13.5pt; font-family:
Arial, sans-serif; ">It will help if we
can<span class="Apple-converted-space"> </span></span></span><span
class="apple-style-span"><span
style="font-size: 18pt; font-family:
Arial, sans-serif; ">interop make this
consistent across IdP.</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><span
class="apple-style-span"><span
style="font-size: 18pt; font-family:
Arial, sans-serif; ">John</span></span><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; "><o:p> </o:p></div>
</div>
</div>
</blockquote>
<blockquote style="margin-top: 5pt; margin-bottom:
5pt; ">
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; ">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
style="color: blue; text-decoration:
underline; ">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
style="color: blue; text-decoration:
underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div>
</div>
</blockquote>
</div>
</div>
</span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>