[Openid-specs-ab] Issue #1664: Expiration of Logout Tokens for Back-Channel Logout: exp claim not mentioned in spec (openid/connect)
Michael Engler
issues-reply at bitbucket.org
Fri Oct 7 08:18:32 UTC 2022
New issue 1664: Expiration of Logout Tokens for Back-Channel Logout: exp claim not mentioned in spec
https://bitbucket.org/openid/connect/issues/1664/expiration-of-logout-tokens-for-back
Michael Engler:
Hi there,
in section 4 \([https://openid.net/specs/openid-connect-backchannel-1\_0.html#Security](https://openid.net/specs/openid-connect-backchannel-1_0.html#Security) \) I read the following:
> “OPs are encouraged to use short expiration times in Logout Tokens, preferably at most two minutes in the future, to prevent captured Logout Tokens from being replayable.”
However, section 2.4 \([https://openid.net/specs/openid-connect-backchannel-1\_0.html#LogoutToken](https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken) \) does not mention anything with regards to a required _exp_ claim in the Logout Token. The only - in my view rather vague - statement which might match is:
> “Logout Tokens MAY contain other Claims.”
Could you please clarify if an _exp_ claim ought to be there?
Kind regards,
Michael
More information about the Openid-specs-ab
mailing list