There is nothing explicit in draft 23 about requesting a scope lifetime. It is as they say fuzzy.
You know that some people have used additional scopes like offline_access to request longer lifetimes. It may be reasonable to preconfigure something at the tAuthorization server based on client_id, but there is also the question of how to present the options to the user in an understandable way. Fortunately or unfortunately this has been punted to the specs using OAuth to define. How to deal with this question for openID Connect is on the agenda for our F2F in San Francisco on Mar 2. John B. On 2012-02-19, at 12:08 PM, Andrew Arnott wrote: > From draft 23, section 10.3: > The client SHOULD request access tokens with the minimal scope and lifetime > necessary. The authorization server SHOULD take the client identity into > account when choosing how to honor the requested scope and lifetime, and MAY > issue an access token with a less rights than requested. > > > I can't find the part in the spec where the client can request access tokens > in such a way as to influence the lifetime. Why is the client then being > advised in the above section to minimize the lifetime of the access tokens it > asks for? > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
