You could have a refresh token that never expires. Having to use the refresh
token to get a new access token gives you a single control point to allow
checking whether that refresh token should still be valid. Means the RS
doesn't have to do that stuff.
On Monday, August 24, 2015 8:09 AM, John Bradley <[email protected]> wrote:
I think Nat’s diagram about the problems of doing pseudo authentication with
OAuth is being taken out of context.
The refresh token dosen’t expire, it is revoked by the user or system. In some
cases refresh tokens are automatically revoked if the users session to the AS
ends. I think AOL typically revokes refresh tokens when sessions terminate.
OpenID Connect provides a separate id_token with a independent lifetime from
the refresh token. A client may keep a refresh token for a much longer time
than the user has a login session with the AS.
Refresh tokens are typically used by confidential clients that are using a
client secret in combination with the refresh token for getting a new access
token.
By design access tokens should be short lived as the AS is expected to have a
way of revoking refresh tokens but not access tokens.A access token that
dosen't expire , and can’t be revoked is not a good idea.
John B.
On Aug 24, 2015, at 2:41 AM, Donghwan Kim <[email protected]> wrote:
Hi,
According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5,
refresh token can be used to refresh an expired access token without requesting
resource owner to sign in again (uncomfortable experience). However, if it's
true, isn't it that refresh token might be used to request a new access token
even years later? and then isn't refresh token the same with access token which
never expires?
I intended to use refresh token to implement persistent login by sending a
refresh request before issued access token expires (expires_in runs out). But
if refresh token works even if access token expired already, sending a refresh
request on application start up would be enough.
So I'm not sure what I'm missing about refresh token as well as how to
implement persistent login using it (you can regard authentication here
pseudo-authentication illustrated in
https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg).
What is the lifetime of refresh token?
Thanks,
-- Donghwan_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
