[Openid-specs-ab] Expiration Time in token-requests
Udo Neitzel
mail at udoneitzel.de
Thu Jun 12 21:26:42 UTC 2014
Hi,
I'm currently implementing an OpenID Connect Server and
I have a little issue regarding an authorization-request using
a JWT.
openid-connect-core-1_0, section 9, declares the parameter "exp"
as required. The expiration time refers to the ID Token:
"REQUIRED. Expiration time on or after which the ID Token MUST NOT
be accepted for processing"
draft-ietf-oauth-jwt-bearer-09, section 3, refers to the JWT of the
request:
"The JWT MUST contain an "exp" (expiration) claim that limits the time
window during which the JWT can be used.
The authorization server MUST verify that the expiration time has not
passed".
In my opinion the OpenID Connect specification should also say
request-token, not ID Token.
It makes sense to limit the lifetime of the request-object in order to
limit the time it could be
reused. After the expiration time stored JWT-IDs can be discarded.
... or did I get this wrong?
Regards,
Udo Neitzel
More information about the Openid-specs-ab
mailing list