[Openid-specs-ab] Correlation between RP session and IdToken expiry times

Brian Campbell bcampbell at pingidentity.com
Wed Nov 22 16:54:03 UTC 2017


There is an open issue around this
https://bitbucket.org/openid/connect/issues/1002/clarify-meaning-of-exp-claim-in-id-token
and I just added a comment referencing this thread and the session draft.

On Wed, Nov 22, 2017 at 9:39 AM, Justin Richer <jricher at mit.edu> wrote:

> I agree that the session draft is wrong.
>
>  — Justin
>
> On Nov 21, 2017, at 5:38 PM, Thomas Broyer <t.broyer at gmail.com> wrote:
>
> Maybe one of you can explain this to me: http://openid.net/specs/
> openid-connect-session-1_0.html#ChangeNotification
> > An ID Token typically comes with an expiration date. The RP MAY rely on
> it to expire the RP session. However, it is entirely possible that the
> End-User might have logged out of the OP before the expiration date.
>
> (Note that I agree with both of you, but that draft implies otherwise;
> http://openid.net/specs/openid-heart-openid-connect-1_
> 0-2017-05-31.html#rfc.section.3.1 & https://xml2rfc.tools.ietf.
> org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&
> mode=html&type=ascii&url=https://bitbucket.org/openid/
> igov/raw/master/openid-igov-profile.xml#rfc.section.3.1 --copy-paste?--
> are clear though; I already reported this inconsistency 2 years ago or so,
> but it still hasn't been fixed)
>
> Le mar. 21 nov. 2017 18:42, Brian Campbell via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> a écrit :
>
>> +1
>>
>> On Nov 21, 2017 10:10 AM, "Justin Richer via Openid-specs-ab" <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> No, that’s not reasonable to assume. The ID Token should be very short
>>> lived in practice, as it’s really just a message from the IdP to the RP
>>> saying “this is the person logging in”. It doesn’t need to live long to be
>>> processed. The RP should take over its session management on its own after
>>> that, and it shouldn’t base its session life on the assertion lifetime.
>>>
>>>  — Justin
>>>
>>> > On Nov 12, 2017, at 6:48 AM, Sergey Beryozkin via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>> >
>>> > Hi All
>>> >
>>> > Is it reasonable/correct to assume that the expiry time of IdToken
>>> should be the expiry time of the OIDC RP session as well ?
>>> >
>>> > Thanks, Sergey
>>> > _______________________________________________
>>> > Openid-specs-ab mailing list
>>> > Openid-specs-ab at lists.openid.net
>>> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*_______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171122/fabf2d6d/attachment-0001.html>


More information about the Openid-specs-ab mailing list