Lifetime for JARM JWT

Issue #195 resolved
Torsten Lodderstedt created an issue


Do you have any recommended value for lifetime of authorization response JWT like the authorization code in RFC 6749?

From RFC 6749, 4.1.2. Authorization Response


 REQUIRED.  The authorization code generated by the

 authorization server.  The authorization code MUST expire

 shortly after it is issued to mitigate the risk of leaks.  *A*
  • maximum authorization code lifetime of 10 minutes is*

  • RECOMMENDED.* The client MUST NOT use the authorization code

    more than once. If an authorization code is used more than

    once, the authorization server MUST deny the request and SHOULD

    revoke (when possible) all tokens previously issued based on

    that authorization code. The authorization code is bound to

    the client identifier and redirection URI.

If you have, it would be great if it is mentioned in the specification.

Comments (2)

  1. Log in to comment