[Openid-specs-fapi] JARM: Recommended value for lifetime of authorization response JWT
torsten at lodderstedt.net
Mon Sep 24 12:41:58 UTC 2018
using the same default as for authz codes seems reasonable to me. I will add a recommendation.
> Am 23.09.2018 um 06:16 schrieb Takahiko Kawasaki via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>:
> Do you have any recommended value for lifetime of authorization response JWT like the authorization code in RFC 6749?
> From RFC 6749, 4.1.2. Authorization Response
> REQUIRED. The authorization code generated by the
> authorization server. The authorization code MUST expire
> shortly after it is issued to mitigate the risk of leaks. A
> maximum authorization code lifetime of 10 minutes is
> RECOMMENDED. The client MUST NOT use the authorization code
> more than once. If an authorization code is used more than
> once, the authorization server MUST deny the request and SHOULD
> revoke (when possible) all tokens previously issued based on
> that authorization code. The authorization code is bound to
> the client identifier and redirection URI.
> If you have, it would be great if it is mentioned in the specification.
> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3872 bytes
Desc: not available
More information about the Openid-specs-fapi