Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8615

OAuth2 access token lifetime recommendations

    Details

    • Sprint:
      Sprint 106 - Team Shakespeare
    • Story Points:
      0.5

      Description

      In the Administration guide it says:

      If necessary, adjust the lifetimes for authorization codes (10 minutes is the recommended setting in RFC 6749), access tokens, and refresh tokens.

      this should say 10 minutes or less (or similar)

      RFC says:
      4.1.2. Authorization Response

      If the resource owner grants the access request, the authorization
      server issues an authorization code and delivers it to the client by
      adding the following parameters to the query component of the
      redirection URI using the "application/x-www-form-urlencoded" format,
      per Appendix B:

      code
      REQUIRED. The authorization code generated by the
      authorization server. The authorization code MUST expire
      shortly after it is issued to mitigate the risk of leaks. A
      maximum authorization code lifetime of 10 minutes is
      RECOMMENDED. The client MUST NOT use the authorization code

      I verified this by asking the Author of the RFC.

        Attachments

          Activity

            People

            • Assignee:
              chris.lee Chris Lee
              Reporter:
              alex.levin@forgerock.com Alex Levin
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: