[Openid-specs-ab] Correlation between RP session and IdToken expiry times

Justin Richer jricher at mit.edu
Wed Nov 22 16:39:14 UTC 2017


I agree that the session draft is wrong.

 — Justin

> On Nov 21, 2017, at 5:38 PM, Thomas Broyer <t.broyer at gmail.com> wrote:
> 
> Maybe one of you can explain this to me: http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification <http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification>
> > An ID Token typically comes with an expiration date. The RP MAY rely on it to expire the RP session. However, it is entirely possible that the End-User might have logged out of the OP before the expiration date.
> 
> (Note that I agree with both of you, but that draft implies otherwise; http://openid.net/specs/openid-heart-openid-connect-1_0-2017-05-31.html#rfc.section.3.1 <http://openid.net/specs/openid-heart-openid-connect-1_0-2017-05-31.html#rfc.section.3.1> & https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/igov/raw/master/openid-igov-profile.xml#rfc.section.3.1 <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/igov/raw/master/openid-igov-profile.xml#rfc.section.3.1> --copy-paste?-- are clear though; I already reported this inconsistency 2 years ago or so, but it still hasn't been fixed)
> 
> Le mar. 21 nov. 2017 18:42, Brian Campbell via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> a écrit :
> +1
> 
> On Nov 21, 2017 10:10 AM, "Justin Richer via Openid-specs-ab" <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> No, that’s not reasonable to assume. The ID Token should be very short lived in practice, as it’s really just a message from the IdP to the RP saying “this is the person logging in”. It doesn’t need to live long to be processed. The RP should take over its session management on its own after that, and it shouldn’t base its session life on the assertion lifetime.
> 
>  — Justin
> 
> > On Nov 12, 2017, at 6:48 AM, Sergey Beryozkin via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> >
> > Hi All
> >
> > Is it reasonable/correct to assume that the expiry time of IdToken should be the expiry time of the OIDC RP session as well ?
> >
> > Thanks, Sergey
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171122/6697c873/attachment.html>


More information about the Openid-specs-ab mailing list