Hi Nick, What does an AS do when time-limited user consent expires (consent_expires_in)?
Does it invalidate ATs for a user? Or... does it require the user to re-consent to the requested scopes? If so, how should it do that in your view? Would you like to allow users to set an expiration date for their consent on the consent page? I suggest renaming field refresh_token_expiration_types to refresh_token_expiration_types_supported in AS's metadata (in order to use the same name convention). A minor nit, in the provided examples, you need to omit " around values provided for parameters *refresh_token_expires_in* and *consent_expires_in*. All the best, Andrii On Fri, Jun 27, 2025 at 10:44 AM Nick Watson <nwatson= [email protected]> wrote: > Hi all, > > I have written up a draft for expiring refresh tokens, including both > expiration from time-limited user consent as well as expiration due to > enforced RT rotation deadline. > > > https://datatracker.ietf.org/doc/draft-watson-oauth-refresh-token-expiration/ > > Have a look and let me know what you think. > > - Nick > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
