Konubinix' opinionated web of thoughts

OAuth – The Good Parts - Anders Abel

Fleeting

  • External reference:

ndcconferences, OAuth 2.0,

It is shown that the expiration time of the acess token is given IN the response metadata AND (generally) in the self-encoded access token.

This illustrates the fact that the access token is a bearer token and ID Tokens vs Access Tokens.

The client MUST read the expiration of the token in the response, not try to find it in the token itself.

There exist a librarie to implement a whole OpenID Connect client in a oauth web client, but he says that this is now discouraged and people SHOULD use BFF, as stated by the security best practices.

authorization server redirection and user experience

Notes linking here