[Openid-specs-ab] Expiration Time in token-requests
Nat Sakimura
sakimura at gmail.com
Thu Jun 19 13:16:21 UTC 2014
Hi.
You can always put exp claim in the JWT.
In some cases, you might not want to put explicit expiry date to the
request object, so it was not made to be a mandatory claim.
Cheers,
Nat
2014-06-13 6:26 GMT+09:00 Udo Neitzel <mail at udoneitzel.de>:
> Hi,
>
> I'm currently implementing an OpenID Connect Server and
> I have a little issue regarding an authorization-request using
> a JWT.
>
> openid-connect-core-1_0, section 9, declares the parameter "exp"
> as required. The expiration time refers to the ID Token:
>
>
> "REQUIRED. Expiration time on or after which the ID Token MUST NOT be
> accepted for processing"
>
>
> draft-ietf-oauth-jwt-bearer-09, section 3, refers to the JWT of the
> request:
>
> "The JWT MUST contain an "exp" (expiration) claim that limits the time
> window during which the JWT can be used.
> The authorization server MUST verify that the expiration time has not
> passed".
>
> In my opinion the OpenID Connect specification should also say
> request-token, not ID Token.
> It makes sense to limit the lifetime of the request-object in order to
> limit the time it could be
> reused. After the expiration time stored JWT-IDs can be discarded.
>
> ... or did I get this wrong?
>
>
>
> Regards,
>
> Udo Neitzel
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140619/1ad46fdf/attachment.html>
More information about the Openid-specs-ab
mailing list