RECOMMENDATIONS FOR OAUTH 3.0
based on oAuth 2.0 Current Limitations
While we are patiently waiting for the release of a new oAuth 3.0Â (unfortunately no date has been communicated yet)Â but, nevertheless, below are my top 5 must have recommendations for the next release of this authentication protocol
TOP 5 RECOMMENDATIONS FOR OAUTH 3.0
What should we have in the next oAuth release to easy the implementation
EVERLASTING TOKEN
User Experience
Today all refresh tokens have a fixed expiration time, this has to change, once a user is securely authenticated he should never have to login again unless user has unexpected session from remote location, different workstation or broken any risk access rules.
Think about it, the user has (I expect) passed a MFA authentication, established a secure login with an OTP one time password, has now fully established a secure session to browse to your site from a specific IP, browser and workstation, why would you expire his session ever? if user wants to close his browser (Chrome doesn't delete sessions cookies anymore), so if he wants to close session well make logout function available. See more recommendations