[OPENAM-8615] OAuth2 access token lifetime recommendations Created: 23/Mar/16  Updated: 22/Jul/20  Resolved: 18/Apr/16

Status: Resolved
Project: OpenAM
Component/s: documentation
Affects Version/s: 12.0.0
Fix Version/s: 14.0.0

Type: Bug Priority: Minor
Reporter: Alex Levin Assignee: Chris Lee
Resolution: Fixed Votes: 0
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: Sprint 106 - Team Shakespeare
Story Points: 0.5


In the Administration guide it says:

If necessary, adjust the lifetimes for authorization codes (10 minutes is the recommended setting in RFC 6749), access tokens, and refresh tokens.

this should say 10 minutes or less (or similar)

RFC says:
4.1.2. Authorization Response

If the resource owner grants the access request, the authorization
server issues an authorization code and delivers it to the client by
adding the following parameters to the query component of the
redirection URI using the "application/x-www-form-urlencoded" format,
per Appendix B:

REQUIRED. The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is
RECOMMENDED. The client MUST NOT use the authorization code

I verified this by asking the Author of the RFC.

Comment by Chris Lee [ 18/Apr/16 ]

Altered text to clarify lifetime of OAuth 2.0 access tokens should be 10 minutes, or less, with a link to the relevant RFC (thanks Alex).

Generated at Sun Jan 17 00:10:37 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.