[Openid-specs-ab] Correlation between RP session and IdToken expiry times

Thomas Broyer t.broyer at gmail.com
Tue Nov 21 22:38:51 UTC 2017


Maybe one of you can explain this to me:
http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
> An ID Token typically comes with an expiration date. The RP MAY rely on
it to expire the RP session. However, it is entirely possible that the
End-User might have logged out of the OP before the expiration date.

(Note that I agree with both of you, but that draft implies otherwise;
http://openid.net/specs/openid-heart-openid-connect-1_0-2017-05-31.html#rfc.section.3.1
&
https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/igov/raw/master/openid-igov-profile.xml#rfc.section.3.1
--copy-paste?-- are clear though; I already reported this inconsistency 2
years ago or so, but it still hasn't been fixed)

Le mar. 21 nov. 2017 18:42, Brian Campbell via Openid-specs-ab <
openid-specs-ab at lists.openid.net> a écrit :

> +1
>
> On Nov 21, 2017 10:10 AM, "Justin Richer via Openid-specs-ab" <
> openid-specs-ab at lists.openid.net> wrote:
>
>> No, that’s not reasonable to assume. The ID Token should be very short
>> lived in practice, as it’s really just a message from the IdP to the RP
>> saying “this is the person logging in”. It doesn’t need to live long to be
>> processed. The RP should take over its session management on its own after
>> that, and it shouldn’t base its session life on the assertion lifetime.
>>
>>  — Justin
>>
>> > On Nov 12, 2017, at 6:48 AM, Sergey Beryozkin via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>> >
>> > Hi All
>> >
>> > Is it reasonable/correct to assume that the expiry time of IdToken
>> should be the expiry time of the OIDC RP session as well ?
>> >
>> > Thanks, Sergey
>> > _______________________________________________
>> > Openid-specs-ab mailing list
>> > Openid-specs-ab at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171121/eec6481e/attachment-0001.html>


More information about the Openid-specs-ab mailing list