OAuth 2.0 v30 defines expires_in to specify Client time before token will expire. This works well when you have single duration for all scopes asked in request by Client. When there're more then one type of scopes: like offline - online, for example (or short living / long living if you wish) what expiration duration should the OAuth provider return?
Asked
Active
Viewed 88 times
1
Artem Oboturov
- 4,344
- 2
- 30
- 48
1 Answers
-1
The user gives a client the permission to access resources within certain scopes on his behalf. This permission is basically granted for an unlimited time for all scopes (as he has no influence on how it is handled by the provider), at least until the user manually revokes the permission on provider side. If he only revokes part of the scopes, the currently issued access_token is made invalid and the client has to ask for a new one (which then only has limited scope) using the refresh_token.
The reason for expiring tokens is that when they are stolen, an attacker only has access for a limited time. So the expires_in time you set as a provider should depend on how much you trust the client, if he can keep the tokens secret and not the scopes.
Jan Gerlinger
- 7,361
- 1
- 44
- 52
-
Either I wrote it wrong or you got it the way I didn't intend to. As is written, imagine you don't have a choice between what kind of credentials client asks for (it's 3rd party getting access to protected resource on user's behalf). So the question is somewhat more technical: and consists of explanation or proposal of choosing thoughtfully the duration returned: long/short/some mix. – Artem Oboturov Jul 23 '12 at 23:01
-
Sorry, then I still don't get it. My understanding of your question is this: You have different scopes and depending on which scopes the client (the 3rd party) requests, you want to return different `expires_in` values. So I tried to explain to you, why there's IMHO no reason to make `expires_in` dependant on the scope, as all scopes are granted by the user for an unlimited time. If this is not what you asked for, could you try to describe it in other words or more detailed? – Jan Gerlinger Jul 24 '12 at 09:34