sbp commented on issue #335: URL: https://github.com/apache/tooling-trusted-releases/issues/335#issuecomment-3597535190
Another place where DPoP is used is in [ATProto](https://en.wikipedia.org/wiki/AT_Protocol). Their [section on token lifetimes](https://atproto.com/specs/oauth#tokens-and-session-lifetime) says: > access token lifetimes should be less than 30 minutes in all situations. [...] overall session lifetime and the lifetime of individual refresh tokens should both be limited to 2 weeks [...] Servers must rotate nonces periodically, with a maximum lifetime of 5 minutes They also use [PAR (RFC 9126)](https://datatracker.ietf.org/doc/html/rfc9126), but are worried that it may be "found to be too onerous a requirement for client implementations". They seem to have no such reservations about DPoP. One of the stated purposes of RFC 9449 is to make exfiltration of the access token unexploitable. A 30 minute lifetime for access tokens, chosen by the ATProto authors, appears to conflict with this design feature. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
