From 1215bc4bbb8654fdfc9d48cab2440d4674635b30 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sun, 31 Mar 2019 18:46:11 +0300
Subject: Add: note that access tokens can't be revoked

---
 yuck.mdwn | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'yuck.mdwn')

diff --git a/yuck.mdwn b/yuck.mdwn
index 67c185a..5a4ad2b 100644
--- a/yuck.mdwn
+++ b/yuck.mdwn
@@ -41,7 +41,8 @@ Muck JSON store, but support for, say, LDAP can be added.
 ## Terminology and concepts
 
 * **access token**: a token which grants access to a service or
-  resource; usually short-lived, but see refresh token
+  resource; usually quite short-lived (maybe less than a minute),
+  since it can't be easily revoked, but see refresh token
 
 * **API client**: a program that uses the API, either on behalf of an
   end-user, or on its own behalf
@@ -85,7 +86,8 @@ Muck JSON store, but support for, say, LDAP can be added.
   end users; see [OIDC][]
 
 * **refresh token**: a token that can be used to get a new access
-  token; usually long-lived, but can be revoked
+  token; usually long-lived, but can be revoked, since every use can
+  be checked by the IDP
 
 * **relying party**: software that relies on the IDP for
   authentication and authorization; often a resource provider, but can
-- 
cgit v1.2.1