- changed status to resolved
Lifetime for JARM JWT
Issue #195
resolved
Hi,
Do you have any recommended value for lifetime of authorization response JWT like the authorization code in RFC 6749?
From RFC 6749, 4.1.2. Authorization Response
code
REQUIRED. The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. *A*
-
maximum authorization code lifetime of 10 minutes is*
-
RECOMMENDED.* The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code. The authorization code is bound to
the client identifier and redirection URI.
If you have, it would be great if it is mentioned in the specification.
Comments (5)
-
-
reporter
decide to got with the same recommendation
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
Fixed
#195Merged in lifetime-of-authorization-response-JWT (pull request #78)added lifetime recommendation similar to RFC 6749 for authz codes
Approved-by: Nat Sakimura sakimura@gmail.com
→ <<cset 8ac0bc6059cf>>