Hi, I would like to understand if there are any current best practices around the lifetime of an OAuth access token and refresh token. The spec gives guidance of a max of 10min for a code, and section 4.2.2. gives an "example" of 3600sec for an access token. There is no mention of a lifetime for a refresh token, other than that it is typically longer lived than an access token. Features such as Facebook's offline access permissions certainly imply that the refresh token can be very long lived.
It does seem that 3600s for the AT is the value I encounter most in real-world deployments. I understand that lifetimes are subject to particular use cases and risk and what not ... so I'm not looking for a recommendation for "my" use cases ... rather just looking for a starting point if there is any consensus on the values of the lifetimes. tx! adam
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
