I support adoption. The draft should probably discuss what can/should happen when the user desires to grant a refresh token with multiple scopes but to have different authorization lifetimes for the different granted scopes. I could imagine a few options: - return an array of values corresponding to the array of scopes - return the minimum time across the granted scopes - extend RAR to have an analogously structured field - require that separate tokens are granted in this scenario such that the authorization expiration applies as-is to all scopes in a given token
My instinct leans towards the first but the others seem plausible as well. -Ben On Thu, Nov 13, 2025 at 12:02:39PM -0800, Rifaat Shekh-Yusef via Datatracker wrote: > > Subject: Call for adoption: draft-watson-oauth-refresh-token-expiration-01 > (Ends 2025-11-27) > > This message starts a 2-week Call for Adoption for this document. > > Abstract: > This specification extends OAuth 2.0 [RFC6749] by adding new token > endpoint response parameters to specify refresh token expiration and > user authorization expiration. > > File can be retrieved from: > https://datatracker.ietf.org/doc/draft-watson-oauth-refresh-token-expiration/ > > Please reply to this message keeping [email protected] in copy by indicating > whether you support or not the adoption of this draft as a WG document. > Comments to motivate your preference are highly appreciated. > > Authors, and WG participants in general, are reminded of the Intellectual > Property Rights (IPR) disclosure obligations described in BCP 79 [2]. > Appropriate IPR disclosures required for full conformance with the provisions > of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any. > Sanctions available for application to violators of IETF IPR Policy can be > found at [3]. > > Thank you. > [1] https://datatracker.ietf.org/doc/bcp78/ > [2] https://datatracker.ietf.org/doc/bcp79/ > [3] https://datatracker.ietf.org/doc/rfc6701/ > > > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
