[Openid-specs-ab] Correlation between RP session and IdToken expiry times

Brian Campbell bcampbell at pingidentity.com
Tue Nov 21 17:17:33 UTC 2017


+1

On Nov 21, 2017 10:10 AM, "Justin Richer via Openid-specs-ab" <
openid-specs-ab at lists.openid.net> wrote:

> No, that’s not reasonable to assume. The ID Token should be very short
> lived in practice, as it’s really just a message from the IdP to the RP
> saying “this is the person logging in”. It doesn’t need to live long to be
> processed. The RP should take over its session management on its own after
> that, and it shouldn’t base its session life on the assertion lifetime.
>
>  — Justin
>
> > On Nov 12, 2017, at 6:48 AM, Sergey Beryozkin via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> >
> > Hi All
> >
> > Is it reasonable/correct to assume that the expiry time of IdToken
> should be the expiry time of the OIDC RP session as well ?
> >
> > Thanks, Sergey
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171121/d6e83bde/attachment.html>


More information about the Openid-specs-ab mailing list