Hi folks,
Reviewed this draft when it was
https://datatracker.ietf.org/doc/draft-watson-oauth-refresh-token-expiration/
but my understanding is that nothing changed between the documents.
Comments.
Section 6.1:
"If finite, the authorization server"
... is that another way of saying this RFC is optional?
how do you typically say "if this rfc is implemented?"
Section 6.1.2
I find the term "Infinite Expiration" a bit confusing. Maybe Non-Expiring,
Indefinite or Perpetual would be clearer?
So the section title could be changed to "Indefinite Expiration"
and
omitted response fields could indicate
either indefinite validity or simply lack of support for this
specification. However, infinite expiration and lack of information
about expiration should be handled by the client in the same way.
That is to say, the client must always handle refresh token
invalidation not caused by expiration, such as by explicit user
revocation.
becomes
omitted response fields could indicate
either perpetual refresh token validity or simply lack of support for
this
specification. However, lack of expiration and lack of information
about expiration should be handled by the client in the same way.
That is to say, the client must always handle refresh token
invalidation not caused by expiration, such as by explicit user
revocation.
Section 6.3
Would it be more precise to change "An exchange" to "A refresh token grant"
throughout the examples?
What if a refresh token has expired but we are within the authorization
window? That might be a good example to add.
Section 7
I didn't understand refresh_token_expiration_types_supported and the
different types of expiration offered. What is the difference between
expiration of type "credential" vs type "authorization"?
What did I miss?
Section 9
I see [OAuth 2.1 Sec 4.3.1] referenced, but it is not in the Normative
references section.
Or would it be better to point to the published BCP 9700 instead of the
unpublished OAuth2.1 draft?
https://www.rfc-editor.org/rfc/rfc9700.html#refresh_token_protection talks
about refresh token rotation (4.14.2).
Thanks,
Dan
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
