Access Token / Refresh Token description not required?
Issue #52
resolved
This paragraph seems unneeded - or at the very least should refer to: http://openid.net/specs/openid-connect-core-1_0.html#TokenLifetime
Comments (10)
-
-
- changed status to open
-
re:
#52→ <<cset 81b537a7e335>>
-
- changed component to Part 1: RO Security
-
- edited description
- changed status to resolved
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment
Yes and no. While it probably is better to refer to the OIDC for token lifetime constraints, the TokenLifetime section in OpenID Connect Core does not talk about
These builds up to bring in the notion of Holder of key token and resource audience constrained token respectively in Part 2. So, I would argue to keep the section and those descriptions here while we should refer to OIDC core for the recommendation on the token lifetime itself.