Yes, the client needs to be able to handle unexpected ... • Aaron Parecki

60°F

Aaron Parecki https://aaronparecki.com/ • Aug 23
The way I like to think about it is:

If the client knows when the AT will (likely) expire, it can proactively refresh the token.

There is nothing the client can do differently if it knows when the RT will (likely) expire.

Yes, the client needs to be able to handle unexpected expiration of both the AT and RT, which tbh is more an argument that the AS should never return expires_in than an argument that it should return it for both tokens.

Seattle, Washington, USA • 79°F

Tue, Aug 23, 2022 4:49pm -07:00 #oauth

1 like 1 reply
- Fernando Fontoura
Have you written a response to this? Let me know the URL:
- Fernando Fontoura twitter.com/fernandfontoura
  
  I agree! I think I have a partnership. :)
  
  Wed, Aug 24, 2022 12:09am +00:00 (via brid.gy)

Posted in /replies using quill.p3k.io