A poll -

If you are logging into a service via oauth2, indieauth, or similar, and you grant access to a web-based client, you expect that grant to expire:

@djsundog Hm. I said "30 days", but "expect" is causing me to rethink. I hope that when I grant access, it lasts until I revoke it; my expectation based on experience is that it'll probably last about 30 days.

@djsundog tie between 24 hours and when explicitly logged out, but more leaning towards the latter.

also, "24 hours" because of not being 100% sure what current best practices are on websites that log users out automatically after a given period of time, in regards to this.

informal assessment = which doesn't seem to apply in this case as much, but it's around either way

@djsundog I expect it will never expire, and will grant both me and various people around the globe who are not me access to data I don't want transferred.

Source: I've used the internet lately

@djsundog It *should* be 1 year or when I log out. But in practice, 14-30 days is so common I don't expect anything to ever work.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!