[Openid-specs-ab] Correlation between RP session and IdToken expiry times

George Fletcher gffletch at aol.com
Tue Nov 21 20:35:31 UTC 2017


Whether the idToken has value after the initial authentication flow is 
dependent on how the Issuer intends the id_token to be used.

As Justin states, there is no corollary between the id_token expiry and 
the expiry of the session at the AS. Obviously the session could be 
terminated and the id_token still be valid. If the RT is tied to the 
session of the user at the AS then you can use the refresh_token grant 
to determine when the RT becomes invalidated (via some polling scheme). 
Of course this only works if the AS binds the RT to a session. 
Otherwise, the RP must rely on the AS to implement one of the forms of 
"session logout" and rely on that to know the session has expired.

Thanks,
George

P.S. I'm not sure I go so far as to say that the id_token "SHOULD" be 
very short lived but that's for a different discussion:)

On 11/21/17 11:59 AM, Sergey Beryozkin via Openid-specs-ab wrote:
> Hi Justin,
>
> Thanks, we've had some doubts re what to do when IdToken expires, 
> though indeed, my colleagues do not think tying the id token lifetime 
> to the RP session one was needed.
>
> What would be the recommended action for the RP to take when it sees 
> IdToken expiring. Does it really have any practical value, the IdToken 
> expiry time ?
>
> Thanks, Sergey
> On 21/11/17 16:50, Justin Richer wrote:
>> No, that’s not reasonable to assume. The ID Token should be very 
>> short lived in practice, as it’s really just a message from the IdP 
>> to the RP saying “this is the person logging in”. It doesn’t need to 
>> live long to be processed. The RP should take over its session 
>> management on its own after that, and it shouldn’t base its session 
>> life on the assertion lifetime.
>>
>>   — Justin
>>
>>> On Nov 12, 2017, at 6:48 AM, Sergey Beryozkin via Openid-specs-ab 
>>> <openid-specs-ab at lists.openid.net> wrote:
>>>
>>> Hi All
>>>
>>> Is it reasonable/correct to assume that the expiry time of IdToken 
>>> should be the expiry time of the OIDC RP session as well ?
>>>
>>> Thanks, Sergey
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171121/903e0c73/attachment.html>


More information about the Openid-specs-ab mailing list