- marked as blocker
oauth2 Profile - 3.4. @torsten comment [token lifetimes]
Issue #18
resolved
"For public clients, access tokens SHOULD have a valid lifetime no greater than fifteen minutes.“
Why does the client type matter? There is no correlation between client type and probability of leakage and/or mechanism to detect leakage.
Comments (7)
-
-
The client type matters because in a public client the access token is generally available on the end-user device so can leak from there, which is not the case for confidential clients.
However in almost all cases some kind of sender constrained access token (e.g. DPoP) is a much better mitigation.
-
May depend on sender constrained token method.
-
Adjusted token lifetimes in https://bitbucket.org/openid/igov/pull-requests/26
-
-
assigned issue to
-
assigned issue to
-
- changed title to oauth2 Profile - 3.4. @torsten comment [token lifetimes]
-
- changed status to resolved
Merged PR
#26 - Log in to comment
Changed to BLOCKER to filter for v1.05/Implementer’s draft.