[Openid-specs-ab] Correlation between RP session and IdToken expiry times

Justin Richer jricher at mit.edu
Tue Nov 21 16:50:54 UTC 2017


No, that’s not reasonable to assume. The ID Token should be very short lived in practice, as it’s really just a message from the IdP to the RP saying “this is the person logging in”. It doesn’t need to live long to be processed. The RP should take over its session management on its own after that, and it shouldn’t base its session life on the assertion lifetime. 

 — Justin

> On Nov 12, 2017, at 6:48 AM, Sergey Beryozkin via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> Hi All
> 
> Is it reasonable/correct to assume that the expiry time of IdToken should be the expiry time of the OIDC RP session as well ?
> 
> Thanks, Sergey
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list