<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I agree that the session draft is wrong.<div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Nov 21, 2017, at 5:38 PM, Thomas Broyer <<a href="mailto:t.broyer@gmail.com" class="">t.broyer@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">Maybe one of you can explain this to me: <a href="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification" class="">http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification</a><div class="">> An ID Token typically comes with an expiration date. The RP MAY rely on it to expire the RP session. However, it is entirely possible that the End-User might have logged out of the OP before the expiration date.</div><div class=""><br class=""></div><div class="">(Note that I agree with both of you, but that draft implies otherwise; <a href="http://openid.net/specs/openid-heart-openid-connect-1_0-2017-05-31.html#rfc.section.3.1" class="">http://openid.net/specs/openid-heart-openid-connect-1_0-2017-05-31.html#rfc.section.3.1</a> & <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/igov/raw/master/openid-igov-profile.xml#rfc.section.3.1" class="">https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/igov/raw/master/openid-igov-profile.xml#rfc.section.3.1</a> --copy-paste?-- are clear though; I already reported this inconsistency 2 years ago or so, but it still hasn't been fixed)<br class=""><br class=""><div class="gmail_quote"><div dir="ltr" class="">Le mar. 21 nov. 2017 18:42, Brian Campbell via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> a écrit :<br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto" class="">+1</div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Nov 21, 2017 10:10 AM, "Justin Richer via Openid-specs-ab" <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.net</a>> wrote:<br type="attribution" class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">No, that’s not reasonable to assume. The ID Token should be very short lived in practice, as it’s really just a message from the IdP to the RP saying “this is the person logging in”. It doesn’t need to live long to be processed. The RP should take over its session management on its own after that, and it shouldn’t base its session life on the assertion lifetime.<br class="">
<br class="">
 — Justin<br class="">
<br class="">
> On Nov 12, 2017, at 6:48 AM, Sergey Beryozkin via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.net</a>> wrote:<br class="">
><br class="">
> Hi All<br class="">
><br class="">
> Is it reasonable/correct to assume that the expiry time of IdToken should be the expiry time of the OIDC RP session as well ?<br class="">
><br class="">
> Thanks, Sergey<br class="">
> _______________________________________________<br class="">
> Openid-specs-ab mailing list<br class="">
> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
<br class="">
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</blockquote></div></div>

<br class="">
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)" class=""><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600" class=""><font size="2" class="">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</blockquote></div></div>
</div></blockquote></div><br class=""></div></body></html>