[Openid-specs-fapi] Issue #52: Access Token / Refresh Token description not required? (openid/fapi)
Nat Sakimura
nat at sakimura.org
Thu Dec 8 14:05:46 UTC 2016
Yes and no. While it probably is better to refer to the OIDC for token
lifetime constraints, the TokenLifetime section in OpenID Connect Core
does not talk about
- the implication of the bearer token
- the implication of the token being used against multiple resources
These builds up to bring in the notion of Holder of key token and
resource audience constrained token respectively in Part 2. So, I would
argue to keep the section and those descriptions here while we should
refer to OIDC core for the recommendation on the token lifetime itself.
---
Nat Sakimura
Chairman, OpenID Foundation
On 2016-12-08 22:42, Dave Tonge via Openid-specs-fapi wrote:
> New issue 52: Access Token / Refresh Token description not required?
> https://bitbucket.org/openid/fapi/issues/52/access-token-refresh-token-description-not
>
> Dave Tonge:
>
> https://bitbucket.org/openid/fapi/annotate/d4edc14c0b76155c97623edb521bfdc56afd64b7/Financial_API_WD_001.md?at=master&fileviewer=file-view-default#Financial_API_WD_001.md-342
>
> This paragraph seems unneeded - or at the very least should refer to:
> http://openid.net/specs/openid-connect-core-1_0.html#TokenLifetime
>
>
>
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
More information about the Openid-specs-fapi
mailing list