Section 4.5 of the OAuth Core spec provides that extension spec MAY issue 
refresh tokens.  Yet, section 3.1 of the OAuth2 SAML Bearer specification 
currently says SHOULD NOT (from draft 09):

> Authorization servers SHOULD issue access tokens with a limited lifetime and 
> require clients to refresh them by requesting a new access token using the 
> same assertion, if it is still valid, or with a new assertion.  The 
> authorization server SHOULD NOT issue a refresh token.

There has been some confusion as to why authorization servers SHOULD NOT issue 
refresh tokens. Apparently this wording was put in place because a SAML Bearer 
authorization might have a shorter life than typical refresh token lifetime. 
Hence there was a concern that an authorization server would inadvertently 
issue a long-lasting refresh token that outlives the original SAML Bearer 
authorization.  In order to make this concern clear I propose the following 
text that makes clear the concern and makes refresh tokens more permissive:

Authorization servers SHOULD issue access tokens with a limited lifetime and 
require clients to refresh them by requesting a new access token using the same 
assertion, if it is still valid, or with a new assertion.  The authorization 
server SHOULD NOT issue a refresh token that has an expiry longer than the 
lifetime of the authorization grant.

I'm not aware of any other concerns regarding refresh tokens being issued in 
conjunction with SAML Bearer assertions?  Are there any concerns that suggest 
we should keep the wording as generally SHOULD NOT?

Phil

@independentid
www.independentid.com
phil.h...@oracle.com





_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to