|
|
|
|
|
|
by motorest
394 days ago
|
|
|
> In that case, when and how would you reload the statuslist? It only depends on your own requirements. You can easily implement pull-based or push-based approaches if they suit your needs. I know some companies enforce a 10min tolerance on revoked access tokens, and yet some resource servers poll them at a much higher frequency. > Again, it doesn't matter if TTL and caching is optional (...) I agree, it doesn't. TTL is not relevant at all. If you go for a pull-based approach, you pick the refresh strategy that suits your needs. TTL means nothing if it's longer than your refresh periods. > This draft specifies a list that can be cached and/or refreshed periodically or on demand. This means that there will always be some specified refresh frequency and you cannot have near-real-time refreshes. Yes. You know what it makes sense for you. It's not for the standard to specify the max frequency. I mean, do you think the spec specify max expiry periods for tokens? Try to think about the problem. What would you do if the standard somehow specified a TTL and it was greater than your personal needs? |
|
|