[WG-UMA] Draft: Interactions between refresh tokens and the claims-required flow
1 view
Skip to first unread message
Paul C. Bryan
Apr 6, 2010, 4:17:09 PM4/6/10
to WG UMA
Interactions between refresh tokens and the claims-required flow
Do we have any need or desire to require refresh tokens to be issued in all cases, perhaps due to the positioning of the claims-required request, or is this a matter purely between a requester (client) and AM (authorization server)?
Under WRAP—the underlying protocol currently specified in the UMA specification—access tokens are bearer tokens, transient and relatively short-lived. I suggest that should this remain the case with WRAP and/or OAuth 2.0, we should use the refresh/access token issuance mechanism to allow such tokens to expire and be reissued as required.
Paul
Do we have any need or desire to require refresh tokens to be issued in all cases, perhaps due to the positioning of the claims-required request, or is this a matter purely between a requester (client) and AM (authorization server)?
Under WRAP—the underlying protocol currently specified in the UMA specification—access tokens are bearer tokens, transient and relatively short-lived. I suggest that should this remain the case with WRAP and/or OAuth 2.0, we should use the refresh/access token issuance mechanism to allow such tokens to expire and be reissued as required.
Paul
Reply all
Reply to author
Forward
0 new messages