standards-maintenance icon indicating copy to clipboard operation
standards-maintenance copied to clipboard

Published 20 hours ago verified publisher icon ConsumerDataStandardsAustralia

Clean up of Refresh Token requirements

Open CDR-API-Stream opened this issue 5 months ago • 0 comments

Description

Requirements for Refresh Tokens include a legacy reference to an expiration date of 28 days or longer from when refresh token cycling was permitted. The standards further include some ambiguity about the alignment of refresh token expiry to the sharing duration.

Intention and Value of Change

Clarification of requirements regarding refresh token support.

Area Affected

Security Profile -> Tokens -> Refresh Tokens

Change Proposed

Change the following statements:

Refresh Token

Refresh Tokens MUST be supported by Data Holders.

The usage of Refresh Tokens is specified in section 12 of [OIDC].

The expiration time for a Refresh Token MUST be set by the Data Holder. Refresh Token expiration MAY be any length of time greater than 28 days but MUST NOT exceed the end of the duration of sharing consented to by the Consumer.

Data Holders MUST NOT cycle refresh tokens (rotation). In other words, Refresh Tokens SHOULD be issued with an "exp" equal to the sharing duration authorised by the Customer.

To be:

Refresh Token

Refresh Tokens MUST be supported by Data Holders in accordance with section 12 of [OIDC].

In addition Data Holders:

  • MUST NOT cycle refresh tokens (rotation).
  • MUST issue Refresh Tokens with an "exp" equal to the sharing duration authorised by the Customer.

CDR-API-Stream avatar Sep 17 '24 13:09 CDR-API-Stream