[Openid-specs-ab] session management: id_token.exp is not a session lifetime

[Manger, James]

Couple of comments on openid-connect-session-1_0:

1.
I assumed the "exp" (expiry) member in an id_token indicates a when the RP can accept the id_token to start a session. It would typically be minutes after when the id_token was issued. The user's session with the OP and its session with the RP could last for much longer.

However, §4. "Session Status Change Notification" says "the RP MAY rely on it [id_token expiration date] to expire the RP session". The next sentence talks about a situation where the user logout of the OP before the id_token expires, and the text goes on to imply this is the motivation for this session management spec.


2.
§4.1. "RP iframe" says the "RP MUST perform re-authentication with prompt=none", but then in the next paragraph says the RP "SHOULD first try a prompt=none request". The MUST & SHOULD seem to clash.

3.
The abstract could be more useful. It says too much about OIDC generically and too little about the session management spec. Its first paragraph is not about the session management spec at all, just generic OIDC words. Drop that from the abstract, though it's ok in the introduction. The abstract should mention the OP, RP, and iframes. My suggestion:

  This specification defines mechanisms that allow a user's sessions at an OpenID Provider
 and a relying party to be coordinated. It allows a logout at one to be appropriately handled
 at the other. Efficient interactions while avoiding excessive polling are achieved by posting
 messages between iframes.

[Perhaps "relying parties" (plural) in the abstract would be even better?]

--
James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170316/734068b2/attachment.html>