Some general defaults from some of our systems:
A fairly common profile in some collaboration systems:
Access tokens: 1h
Refresh tokens: 1 week, or doesn't expire (good until explicitly revoked)
A more paranoid profile in health systems:
Access tokens: 5min
Refresh tokens: 30min
In both cases, users and admins can revoke tokens currently in the wild
at any point before the timeout occurs.
-- Justin
On 09/07/2012 09:29 AM, Lewis Adam-CAL022 wrote:
Hi,
I would like to understand if there are any current best practices
around the lifetime of an OAuth access token and refresh token. The
spec gives guidance of a max of 10min for a code, and section 4.2.2.
gives an "example" of 3600sec for an access token. There is no
mention of a lifetime for a refresh token, other than that it is
typically longer lived than an access token. Features such as
Facebook's offline access permissions certainly imply that the refresh
token can be very long lived.
It does seem that 3600s for the AT is the value I encounter most in
real-world deployments.
I understand that lifetimes are subject to particular use cases and
risk and what not ... so I'm not looking for a recommendation for "my"
use cases ... rather just looking for a starting point if there is any
consensus on the values of the lifetimes.
tx!
adam
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
