Section 4.5 of the OAuth Core spec provides that extension spec MAY issue refresh tokens. Yet, section 3.1 of the OAuth2 SAML Bearer specification currently says SHOULD NOT (from draft 09):
> Authorization servers SHOULD issue access tokens with a limited lifetime and > require clients to refresh them by requesting a new access token using the > same assertion, if it is still valid, or with a new assertion. The > authorization server SHOULD NOT issue a refresh token. There has been some confusion as to why authorization servers SHOULD NOT issue refresh tokens. Apparently this wording was put in place because a SAML Bearer authorization might have a shorter life than typical refresh token lifetime. Hence there was a concern that an authorization server would inadvertently issue a long-lasting refresh token that outlives the original SAML Bearer authorization. In order to make this concern clear I propose the following text that makes clear the concern and makes refresh tokens more permissive: Authorization servers SHOULD issue access tokens with a limited lifetime and require clients to refresh them by requesting a new access token using the same assertion, if it is still valid, or with a new assertion. The authorization server SHOULD NOT issue a refresh token that has an expiry longer than the lifetime of the authorization grant. I'm not aware of any other concerns regarding refresh tokens being issued in conjunction with SAML Bearer assertions? Are there any concerns that suggest we should keep the wording as generally SHOULD NOT? Phil @independentid www.independentid.com phil.h...@oracle.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth