From thamindu.randil at gmail.com Mon Dec 21 07:22:45 2020 From: thamindu.randil at gmail.com (Thamindu Randil) Date: Mon, 21 Dec 2020 12:52:45 +0530 Subject: [Code] =?utf-8?q?=E2=80=9Cexp=E2=80=9D_Claim_in_Logout_Token?= Message-ID: I'm working on the logout token validation for the federated identity provider initiated back-channel logout in an identity server. Currently I'm using an instance of the same identity server as the federated identity provider. The logout token I receive from the idp has an "exp" claim in the claim set. According to the OIDC Back-channel Logout Specification under the Security Considerations, it is stated that, "OPs are encouraged to use short expiration times in Logout Tokens, preferably at most two minutes in the future, to prevent captured Logout Tokens from being replayable" But in rfc8417 , they state that it is *not recommended* to use an "exp" claim in SETs. What is the recommendation for having an "exp" claim in the OIDC logout token ? -- Best Regards, Thamindu Randil Undergraduate Department of Computer Science & Engineering University of Moratuwa -------------- next part -------------- An HTML attachment was scrubbed... URL: