[Openid-specs-ab] On ID Token expiration and authentication expiration

Thomas Broyer t.broyer at gmail.com
Tue Mar 18 10:49:25 UTC 2014

Hi everyone,

I started implementing OpenID Connect Core 1.0 (Basic profile) and was now
looking at OpenID Connect Session 1.0.
There, it says that (section 4):

    An ID Token typically comes with an expiration date. The RP MAY rely
    on it to expire the RP session.

This is not at all what I expected after reading the other specs (Core,
In Core, "exp" is defined as (section 2):

    Expiration time on or after which the ID Token MUST NOT be accepted
    for processing.

So my understanding (and what I implemented) was that I could (should?)
give a very short lifetime to the ID Token, given that it's only
processed/validated upon reception from the Token Endpoint. Currently, my
ID Tokens expire after 10 minutes (for comparison, my Authorization Codes
are only valid for 1 minute).

I thus searched what I could have missed, and found, in Core, section 3:

    The Authentication result is returned in an ID Token, as defined in
    Section 2. It has Claims expressing such information as the Issuer,
    the Subject Identifier, when the authentication expires, etc.

OK, so maybe the "exp" of the ID Token is the expected "end of the session"
(more on that later). You'll note that it's just a small note lost in the
middle of a big spec. If "exp" is to be used for any other purpose than
validating the ID Token, then it should be called out more prominently.
Also, the example in section actually conflicts with this
definition: the ID Token expires after 1000 seconds only (while the access
token expires after 3600 seconds).

Now, about what the "end of the session" means. Currently, I issue access
tokens that expire after 1 hour. Because I exclusively use the
authorization_code flow (and refresh_token flow), RPs have to go through
the whole dance every hour at most to ask for another access token; so
should the "end of the session" the same as the expiration of the access
token? Actually, for RPs that only need federated authentication but won't
actually use the access token, the "end of session" could be the same as
the session I maintain on the OP, that lasts for several hours.

So, could someone make it clear what's the expected "exp" value for the ID
Token returned by the Token Endpoint? (in the case of authorization_code
flow) Should it be short because it's only useful for validating the ID
Token upon reception? Should it be the same as the access token expiration?
(at least for the case where offline_access has not been granted) Or should
it be the same as the session maintained on the OP? (that could last for
hours, and with "remember me" could even last for days)

Or should the Session spec simply just not make any claim about the ID
Token expiration being related to the session expiration?

Thanks in advance.

Thomas Broyer
/tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140318/cce28e3a/attachment-0001.html>

More information about the Openid-specs-ab mailing list