On Sun, May 9, 2010 at 1:56 PM, Eran Hammer-Lahav <[email protected]> wrote: > The authorization server can issue an access token with any expiration but > should not issue expiration > later than that of the assertion. But still, there is nothing to prevent that.
Wait, why shouldn't the authorization server issue an access token with an expiration past the notAfter date in the assertion? The common process here is to swap a SAML assertion with a very short lifetime (a minute or two) for a cookie that lasts a longer period of time. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
