Hi Ishan, Yes I should update that text in the next draft of OAuth 2.1 to reference the "Refresh Token and Authorization Expiration" draft assuming the call for adoption passes: https://datatracker.ietf.org/doc/draft-watson-oauth-refresh-token-expiration/
Aaron On Wed, Nov 26, 2025 at 9:01 AM Ishan Chawla <[email protected]> wrote: > Hi everyone, > > As per oauth 2.1 RFC, it's not important to communicate refresh token > expiration time, but i believe differently > > oauth 2.1 <https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/> RFC > says this "Note that there is no need to communicate the lifetime of the > refresh token to the client, because the client can't do anything different > with the knowledge of the lifetime. Additionally, the authorization server > might choose to use dynamic lifetimes (e.g. the refresh token expiry is > extended as long as the refresh token is used at least once every 7 days), > or the authorization server might revoke the refresh token before its > scheduled expiration date for any reason, such as if the user revokes the > application's access. This means the client already has to handle the case > of a refresh token expiring at an arbitrary time. Regardless of why or when > the refresh token expires, the client has only one path to obtain new tokens, > which is to start a new OAuth flow from the beginning. For that reason, > there is no property defined to communicate the expiration of a refresh > token to the client." > > We have scheduled agents , which are actions like creating a document > automatically every week - which suddently break when refresh token expires > - we ideally want to be able to warn users X days in advance to re-auth > when refresh token is about to expire, but since IDP don't provide refresh > expiry - we can't do this > > Isn't it better to include refresh expiry? > > thanks! > > Ishan > > Software Engineer , Glean > >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
