[Openid-specs-fapi] Issue #211: clients should be required to send a 'reasonable' exp in request object (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Mon Jan 21 12:23:21 UTC 2019

New issue 211: clients should be required to send a 'reasonable' exp in request object

Joseph Heenan:

Although we currently say that servers must require an exp claim is present, there's not actually any further discussion about processing of the exp claim other than what is present in JWT, i.e. https://tools.ietf.org/html/rfc7519#section-4.1.4 

It would probably be sensible to set some kind of upper limit.

e.g. for client assertions https://tools.ietf.org/html/rfc7521 says:

> Note that the
>      authorization server may reject assertions with an Expires At
>      attribute value that is unreasonably far in the future.

This came up as we discovered an RP in the OB ecosystem was sending:

"exp": 1548068599885,

ie. Friday 5th May in the year 51026.

Some OPs seem to accept that as a valid expiry, some reject it as invalid (possibly because it's bigger than fits in a 32bit unix time_t, or possibly because they view it as too far in the future).

I'd thinking about something along the lines of "clients shall send an exp claim in the request object that has a validity of no more than 60 minutes". Even 60 minutes is perhaps unnecessarily long.

More information about the Openid-specs-fapi mailing list