Responses inline On Fri, Jun 27, 2025 at 3:02 PM Andrii Deinega <andrii.dein...@gmail.com> wrote:
> Hi Nick, > > What does an AS do when time-limited user consent expires > (consent_expires_in)? > When user consent expires the state in the AS will essentially be reset like the user has never granted access before, as there will be no valid credentials in existence and no valid record of user consent on the AS. (Different AS impls may retain a tombstone for auditing purposes.) Do you think it's worth adding any of this in the spec? I'd probably make it non-normative, e.g. in an implementation notes or privacy considerations section. > > Does it invalidate ATs for a user? Or... does it require the user to > re-consent to the requested scopes? If so, how should it do that in your > view? > Good point. I'll add a line about how AT lifetime must not exceed consent_expires_in. If a user renews their consent, I don't think it's necessary for the AS to update AT expiration in addition to RT expiration, as clients can just get a new one with the RT, but I'll mention it with "MAY" just in case any AS issues stateful ATs and wants to do it. > > Would you like to allow users to set an expiration date for their consent > on the consent page? > How consent expiration gets set is an implementation detail for the AS, I think, but yes I would expect the most common choice is letting users select an expiration on the consent page – either a predetermined set of options or a freeform field. Could be another point for a non-normative section maybe? > > I suggest renaming field refresh_token_expiration_types to > refresh_token_expiration_types_supported in AS's metadata (in order to use > the same name convention). > > A minor nit, in the provided examples, you need to omit " around values > provided for parameters *refresh_token_expires_in* and > *consent_expires_in*. > Thanks. Fixed both. > > All the best, > Andrii > > > On Fri, Jun 27, 2025 at 10:44 AM Nick Watson <nwatson= > 40google....@dmarc.ietf.org> wrote: > >> Hi all, >> >> I have written up a draft for expiring refresh tokens, including both >> expiration from time-limited user consent as well as expiration due to >> enforced RT rotation deadline. >> >> >> https://datatracker.ietf.org/doc/draft-watson-oauth-refresh-token-expiration/ >> >> Have a look and let me know what you think. >> >> - Nick >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-le...@ietf.org >> > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
