[Openid-specs-ab] Correlation between RP session and IdToken expiry times

Justin Richer jricher at mit.edu
Wed Nov 22 16:38:31 UTC 2017


It has a practical value in communicating to the RP when it should process the assertion so that you don’t get an old ID token and accept it. The ID token lifetime should be pretty short in practice. 

 — Justin


> On Nov 21, 2017, at 11:59 AM, Sergey Beryozkin <sberyozkin at gmail.com> wrote:
> 
> Hi Justin,
> 
> Thanks, we've had some doubts re what to do when IdToken expires, though indeed, my colleagues do not think tying the id token lifetime to the RP session one was needed.
> 
> What would be the recommended action for the RP to take when it sees IdToken expiring. Does it really have any practical value, the IdToken expiry time ?
> 
> Thanks, Sergey
> On 21/11/17 16:50, Justin Richer wrote:
>> No, that’s not reasonable to assume. The ID Token should be very short lived in practice, as it’s really just a message from the IdP to the RP saying “this is the person logging in”. It doesn’t need to live long to be processed. The RP should take over its session management on its own after that, and it shouldn’t base its session life on the assertion lifetime.
>>  — Justin
>>> On Nov 12, 2017, at 6:48 AM, Sergey Beryozkin via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>>> 
>>> Hi All
>>> 
>>> Is it reasonable/correct to assume that the expiry time of IdToken should be the expiry time of the OIDC RP session as well ?
>>> 
>>> Thanks, Sergey
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list