[Openid-specs-fapi] Issue #252: Question about accessing UserInfo endpoint after ID token expiration (openid/fapi)

kaeruko issues-reply at bitbucket.org
Fri Jul 19 06:39:34 UTC 2019

New issue 252: Question about accessing UserInfo endpoint after ID token expiration


As described below, UserInfo endpoint needs a ID\_token,

\[NOTE: Due to the possibility of token substitution attacks \(see [**Section 16.11**](https://openid.net/specs/openid-connect-core-1_0.html#TokenSubstitution)\), the UserInfo Response is not guaranteed to be about the End-User identified by the `sub` \(subject\) element of the ID Token. The `sub` Claim in the UserInfo Response MUST be verified to exactly match the `sub` Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.\]\([https://openid.net/specs/openid-connect-core-1\_0.html#UserInfoResponse](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse)\)

Although access tokens and ID tokens have an expiration date,  
Only the access token is newly issued by refresh, and expire can not be renewed even if the ID token is reissued.

I'm wondering how to get the latest user information after the ID token has expired, but in that case it is ok to use the expired ID token when accessing UserInfo

More information about the Openid-specs-fapi mailing list