7009 doesn't, really. If the client thinks its token is compromised, it
can revoke it using 7009. If the server decides the token is
compromised, it invalidates it on its own, not involving 7009. The
client finds out the token isn't good anymore the next time it tries to
use the token -- OAuth clients always need to be prepared for their
token not working at some point. Good news is that the remedy for having
a token that doesn't work is to just do OAuth again.
-- Justin
On 6/6/2017 5:43 PM, Brig Lamoreaux wrote:
Thanks for the reply. How do the RFC address a token that has been
compromised?
*From:*Justin Richer [mailto:[email protected]]
*Sent:* Tuesday, June 6, 2017 9:12 AM
*To:* Brig Lamoreaux <[email protected]>
*Cc:* <[email protected]> <[email protected]>
*Subject:* Re: [OAUTH-WG] RFC 7009
OAuth doesn’t specify and specific timeout period, it’s up to the AS
that issues the token to determine how long the token is good for.
RFC7009 isn’t about timeout periods, it’s about the client proactively
telling the AS that it doesn’t need a token anymore and the AS should
throw it out, likely prior to any timeouts.
— Justin
On May 25, 2017, at 12:23 PM, Brig Lamoreaux
<[email protected]
<mailto:[email protected]>> wrote:
Hi,
What is the specified timeout period to invalidate the token?
Brig Lamoreaux
Data Solution Architect
[email protected] <mailto:[email protected]>
480-828-8707
US Desert/Mountain Tempe
<image001.jpg>
_______________________________________________
OAuth mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CBrig.Lamoreaux%40microsoft.com%7C538020425e8a411a106408d4acf6ca32%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636323623328232170&sdata=UHQOwegm2k8MbWPCYHR3a4ted39xMFlfjil4FdJqyA8%3D&reserved=0>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
