On 2010-05-10, at 4:20 PM, Brian Eaton wrote: > On Sun, May 9, 2010 at 7:34 PM, Dick Hardt <dick.ha...@gmail.com> wrote: >> There a couple of choices for the flows for how a successful delegation is >> conveyed to the delegate. The AS could return a delegation code that is >> similar to a verification code and the delegate acquires an access token >> similar to 3.6.2 >> Alternatively, the AS could return an delegation token that is used similar >> to a refresh token to obtain an access token and refresh token. > > How about lifespan? When does the token expire? And can the client > request a shorter expiration?
I would expect these to be contained in the scope requested. > > Can the client request revocation of the delegate's token? > > What are the semantics around revocation? If a client has their > access revoked, is the delegate access revoked as well? Had not considered revocation by the client. I have no answer to these questions right now. :) -- Dick _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth