[OpenID] “exp” Claim in Logout Token
Thamindu Randil
thamindu.randil at gmail.com
Mon Dec 21 07:22:45 UTC 2020
I'm working on the logout token validation for the federated identity
provider initiated back-channel logout in an identity server. Currently I'm
using an instance of the same identity server as the federated identity
provider. The logout token I receive from the idp has an "exp" claim in the
claim set. According to the OIDC Back-channel Logout Specification
<https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation>
under the Security Considerations, it is stated that,
"OPs are encouraged to use short expiration times in Logout Tokens,
preferably at most two minutes in the future, to prevent captured Logout
Tokens from being replayable"
But in rfc8417 <https://www.rfc-editor.org/rfc/rfc8417.html#section-2.2>,
they state that it is *not recommended* to use an "exp" claim in SETs.
What is the recommendation for having an "exp" claim in the OIDC logout
token ?
--
Best Regards,
Thamindu Randil
Undergraduate
Department of Computer Science & Engineering
University of Moratuwa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20201221/be3249fa/attachment.html>
More information about the general
mailing list