[Openid-specs-ab] Correlation between RP session and IdToken expiry times

Sergey Beryozkin sberyozkin at gmail.com
Tue Nov 21 16:59:03 UTC 2017


Hi Justin,

Thanks, we've had some doubts re what to do when IdToken expires, though 
indeed, my colleagues do not think tying the id token lifetime to the RP 
session one was needed.

What would be the recommended action for the RP to take when it sees 
IdToken expiring. Does it really have any practical value, the IdToken 
expiry time ?

Thanks, Sergey
On 21/11/17 16:50, Justin Richer wrote:
> No, that’s not reasonable to assume. The ID Token should be very short lived in practice, as it’s really just a message from the IdP to the RP saying “this is the person logging in”. It doesn’t need to live long to be processed. The RP should take over its session management on its own after that, and it shouldn’t base its session life on the assertion lifetime.
> 
>   — Justin
> 
>> On Nov 12, 2017, at 6:48 AM, Sergey Beryozkin via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>>
>> Hi All
>>
>> Is it reasonable/correct to assume that the expiry time of IdToken should be the expiry time of the OIDC RP session as well ?
>>
>> Thanks, Sergey
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 


More information about the Openid-specs-ab mailing list