cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CXF-4834) AccessTokenService not include issuedAt on ClientAccessToken
Date Tue, 19 Feb 2013 15:49:13 GMT

    [ https://issues.apache.org/jira/browse/CXF-4834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13581382#comment-13581382
] 

Sergey Beryozkin edited comment on CXF-4834 at 2/19/13 3:48 PM:
----------------------------------------------------------------

"expires_in" is actually reported by default - the reason this can be made optional is that
OAuth2 says it is an optional parameter. I think if the admin decides (mostly for security
reasons I guess) not to report it then the client, upon receiving 401 from the resource server,
will need to request a new one (by repeating the original flow where this token was acquired)
or use a refresh token grant to refresh a token; I think realistically, what this parameter
can really help the client with, is to avoid a futile attempt to request a resource when a
token has already expired - so this is mostly allows for an optimization; or for the client-driven
revocation, with the latest token revocation draft
                
      was (Author: sergey_beryozkin):
    "expires_in" is actually reported by default - the reason this can be made optional is
that OAuth2 says it is an optional parameter. I think if the admin decides (mostly for security
reasons I guess) not to report it then the client, upon receiving 401 from the resource server,
will need to request a new one (by repeating the original flow where this token was acquired)
or use a refresh token grant to refresh a token; I think realistically, what this parameter
can really help the client with, is to avoid a futile attempt to request a resource when a
token has already expired - so this is mostly allows for an optimization; of for the client-driven
revocation, with the latest token revocation draft
                  
> AccessTokenService not include issuedAt on ClientAccessToken
> ------------------------------------------------------------
>
>                 Key: CXF-4834
>                 URL: https://issues.apache.org/jira/browse/CXF-4834
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.7.3
>            Reporter: David
>            Priority: Minor
>             Fix For: 2.7.3
>
>
> I'm currently using ClientAccessToken AccessTokenService and is not included issuedAt
value is always -1. Could you include the value of serverToken issuedAt in ClientAccessToken?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message