By the same argument, the client can know how long the tokens are good for via API description. What we're talking about is a programmatic hint by the AS to the Client about what the token is good for. One common use is time-limited, and so provisions for that have been baked in so that everybody does it the same way. If there's enough out there to be use-limited or other bits, we should have a tiny provision to extend this in a similar fashion.
-- Justin ________________________________ From: Torsten Lodderstedt [[email protected]] Sent: Tuesday, January 17, 2012 12:26 PM To: Paul Madsen Cc: [email protected]; Richer, Justin P.; OAuth WG Subject: Re: AW: Re: [OAUTH-WG] Access Token Response without expires_in Hi Paul, that's not what I meant. The Client should know which tokens should be one time usage based on the API description. The authz server must not return expires_in because this would not make any sense in this case. regards, Torsten Paul Madsen <[email protected]> schrieb: Hi Torsten, yes the use case in question is payment-based as well. Your suggestion for the client to infer one-time usage from a missing expires_in contradicts the general consensus of this thread does it not? paul On 1/17/12 11:38 AM, [email protected]<mailto:[email protected]> wrote: Hi, isn't one-time semantics typically associated with certain requests on certain resources/resource types. I therefore would assume the client to know which tokens to use one-time only. The authz server should not return an expires_in paramter. We for example use one time access tokens for payment transactions. What would such an extension specify? regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -----Original Message----- From: Paul Madsen <[email protected]><mailto:[email protected]> Sender: [email protected]<mailto:[email protected]> Date: Tue, 17 Jan 2012 08:23:37 To: Richer, Justin P.<[email protected]><mailto:[email protected]> Cc: OAuth WG<[email protected]><mailto:[email protected]> Subject: Re: [OAUTH-WG] Access Token Response without expires_in _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
