Hacker News new | past | comments | ask | show | jobs | submit login

That just pushes the problem around, yes?

So now the client servers have store/check the lifetime of tokens rather than resource servers.

Does that actually improve OAuth as a whole?




Even without refresh tokens, clients need to check lifetime. If the token is opaque and the lifetime is unknown, it is no different from a session cookie.

> Does that actually improve OAuth as a whole?

Like I said, this is an improvement for whoever is validating tokens and only them. Refresh tokens are not hard to use, not sure what's the confusion here:

`token = token.is_expired ? refresh_token() : token`

That's all. Even in wordy rust, it doesn't take much:

https://docs.rs/yup-oauth2/6.5.1/src/yup_oauth2/authenticato...

Are you mad that, unlike with opaque token, you know ahead of time when it's expired for sure rather than when you got 401?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: