oid4vc-haip-sd-jwt-vc icon indicating copy to clipboard operation
oid4vc-haip-sd-jwt-vc copied to clipboard

Published 20 hours ago verified publisher icon openid

relax refresh tokens requirement?

Open Sakurann opened this issue 2 years ago • 2 comments
trafficstars

I was surprised to find that FAPI does not mandate refresh tokens. maybe this profile should also relax mandating refresh tokens..

the use of refresh tokens instead of long-lived access tokens for both public and confidential clients is recommended.

Sakurann avatar May 26 '23 21:05 Sakurann

Agree to reconsider. We should be very sure and clear why we think refresh tokens are needed.

In my opinion, refresh tokens can help to achieve a better UX in the following cases:

  • Silent refresh of credentials, which is especially useful if the credential doesn't have a dynamic status management mechanisms. Given we will have that mechanism through the status list, we won't not necessarily need refresh tokens for this scenario.
  • Obtaining fresh copies of a credential that shall be used on a per RP basis or as ephemeral credentials. I don't see a compelling alternative to refresh tokens for this scenario. Do perhaps, we can make the use/implementation of refresh tokens depending on the privacy requirements of the deployment.

tlodderstedt avatar May 28 '23 11:05 tlodderstedt

I agree, in the italian impl profile we do not support the refresh token, as mentioned here

https://github.com/italia/eudi-wallet-it-docs/issues/154

peppelinux avatar Dec 13 '23 10:12 peppelinux

done in #125

Sakurann avatar Dec 13 '24 14:12 Sakurann