Access Token / Refresh Token description not required?

Issue #52 resolved
Dave Tonge created an issue

Comments (5)

  1. Nat Sakimura

    Yes and no. While it probably is better to refer to the OIDC for token lifetime constraints, the TokenLifetime section in OpenID Connect Core does not talk about

    • the implication of the bearer token
    • the implication of the token being used against multiple resources

    These builds up to bring in the notion of Holder of key token and resource audience constrained token respectively in Part 2. So, I would argue to keep the section and those descriptions here while we should refer to OIDC core for the recommendation on the token lifetime itself.

  2. Log in to comment