We’re implementing support for the device code draft and had a question on what the “expiration” of the code refers to. Obviously, once the code has expired it can no longer be used. But when should the expiration count from? Say I have a code that’s good for 60 seconds, do I start the timer as soon as I issue the code to the client? Do I reset the timer when the user approves the client, to another 60 seconds? Or does that 60 seconds count for the entire transaction?
My read on it is the latter-- one timeout for the entire lifetime of the code regardless of its current state, with no resets. But I didn’t find good guidance in the document itself. Secondly, I had a question about the “response_type” parameter to the device endpoint. This parameter is required and it has a single, required value, with no registry or other possibility of extension. What’s the point? If it’s for “parallelism”, I’ll note that this is *not* the authorization endpoint (as the user is not present) and such constraints need not apply here. — Justin _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth