[Openid-specs-ab] Issue #1002: Clarify meaning of exp claim in ID Token (openid/connect)
issues-reply at bitbucket.org
Wed Aug 31 01:25:44 UTC 2016
New issue 1002: Clarify meaning of exp claim in ID Token
Several people have requested that the meaning of the "exp" (expiration time) claim in the ID Token be clarified. The intended meaning was the ID Token cannnot be used to establish an authenticated session with the RP after the expiration time has passed. Some have been confused into thinking that "exp" also limits the authenticated session length, which it doesn't.
We probably owe it to people to clarify this. We can do it as an errata action since it is not a normative change. Here's a stab at a proposed change...
The first sentence currently says "Expiration time on or after which the ID Token MUST NOT be accepted for processing." I propose that we change this to "Expiration time on or after which the ID Token MUST NOT be accepted by the Relying Party when performing authentication."
More information about the Openid-specs-ab