[Openid-specs-fapi] Issue #539: Access token lifetime (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Wed Aug 24 16:52:07 UTC 2022
New issue 539: Access token lifetime
https://bitbucket.org/openid/fapi/issues/539/access-token-lifetime
Joseph Heenan:
It was discussed on today’s WG call \(in the context of [https://bitbucket.org/openid/fapi/issues/526/decide-on-b-access-token-injection-with-id#comment-64002944](https://bitbucket.org/openid/fapi/issues/526/decide-on-b-access-token-injection-with-id#comment-64002944) \) that there currently doesn’t seem to be anything said about the lifetime of access tokens.
There seemed to be a consensus to possibly saying something on the subject.
A possible initial suggestion:
> Authorization servers issuing long-lived grants \(e.g. months\) should issue short lived access tokens combined with refresh tokens. This allows clients to rotate the sender-constraining keys without loss of grants, either because of compromise of the key or as part of good security hygiene.
More information about the Openid-specs-fapi
mailing list