7.3 expires_in and interval should be required to be integers
Issue #145
resolved
expires_in and interval in the authentication response are (I believe) intended to integers, but it's not actually stated anywhere I could find.
We should probably be explicit that it's a positive integer, or alternatively we could use a more RFC6749 type definition:
A.14. "expires_in" Syntax
The "expires_in" element is defined in Sections 4.2.2 and 5.1:
expires-in = 1*DIGIT
Comments (5)
-
-
- changed milestone to CIBA Post-Implementer's Draft
-
-
assigned issue to
- changed milestone to CIBA Implementer's Draft
The general consensus on the Jan 8th 2019 call http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20190107/001408.html was to add text being explicit that these two are positive integers.
-
assigned issue to
-
Pull request
#56has proposed changes that make it explicit that expires_in and interval of the Authentication Request Acknowledgement are positive integers represented as JSON numbers -
- changed status to resolved
- Log in to comment
It's interesting to note that the device flow made it through numerous reviews (WGCL, AD, & IESG) from sometimes pedantic reviewers as well as several implementations with the same missing specificity on effectively the same parameters: https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13#section-3.2
Nonetheless, specificity in specifications is typically a good thing so a bit more text to indicate that they are to be positive integers should probably be added.