Access Token Lifetime Dissagrement
70 views
Skip to first unread message
Cam Morris
Apr 27, 2016, 11:38:28 AM4/27/16
to OpenID Connect Interop
My co-workers and I are having a discussion on the duration of an access token. The OpenID-connect specification appears to conflict with the OAuth Spec.
Of course we understand that "SHOULD" doesn't imply mandatory, but we'd like to at least understand why openid-connect recommends "single use or very short lifetime"
The sections we think conflict are here:
"Access Token lifetimes SHOULD therefore be kept to single use or very short lifetimes"
When I hear "very short", I'm interpreting that as seconds not hours.
"Access tokens typically have short life spans (minutes or hours) that cover typical session lifetimes"
We've implemented OAuth 2 and have had it in production for a couple years and are in process of adding openid-connect. We discovered the openid-connect recommendation of "single use or very short" and are concerned with the apparent conflict between the two specs.
Of course we understand that "SHOULD" doesn't imply mandatory, but we'd like to at least understand why openid-connect recommends "single use or very short lifetime"
Camilo Aguilar
Oct 4, 2016, 3:34:35 PM10/4/16
to OpenID Connect Interop
Mine is 60 min, I believe Google has the same, I have also seen 4 hours.
Naveen Agarwal
Oct 4, 2016, 4:28:09 PM10/4/16
to openid-conn...@googlegroups.com
There are very good reasons the expiry time is not prescribed as it should depend a lot on your backend (how and how often you validate access tokens) and who has them and the flows.
Questions you should ask (and evaluate corresponding threats):
1. How soon the access token stops working when corresponding refresh token is invalidated?
2. Does the Access token go through all over SSL and never shows up in logs? Where does it get stored?
If for 1, your system checks the access token against the refresh token every time it is used (on resource endpoints) then you may be able to issue longer access tokens (after considering 2). If access tokens are only verified with signature and timestamps then you want them short lived as there is a gap after a user invalidates the grant.
There are other use cases where the operation may last for hours (like large file uploads, or watching a movie), where you would want access token to be longer to accommodate most of the use cases where it shouldn't expire in the middle.
We have access tokens that last anywhere from minutes to years (different use cases and risks).
Thanks
Naveen
On Tue, Oct 4, 2016 at 12:34 PM, Camilo Aguilar <camilo....@gmail.com> wrote:
Mine is 60 min, I believe Google has the same, I have also seen 4 hours.
--
You received this message because you are subscribed to the Google Groups "OpenID Connect Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openid-connect-interop+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages