[Openid-specs-ab] Representation of infinite duration/timestamp

David Waite david at alkaline-solutions.com
Thu Jun 19 07:12:52 UTC 2025 

On Jun 19, 2025, at 12:10 AM, Andrii Deinega via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> I guess an OP can announce whether it supports "IPSIE OIDC SL1"
> through its metadata so there won't be any ambiguity when this claim
> is omitted.
> 
> I also find the name of the claim (session_lifetime) a bit misleading
> as it represents the expected lifetime of the RP session by an OP.

I noticed this as well. A hypothetical OP policy might center around adaptive re-authentication, and only consider sessions to be “ended" on explicit administrative access or automatically after an extended period of inactivity (e.g. two months). But they may convey a session_lifetime of 15 minutes, with the idea that they will repeatedly reissue id_tokens over the refresh grant with up-to-date information. 

Likewise, the end of a session lifetime may imply “killing” sessions, where state including partial work is destroyed. Destroying the changes someone is attempting to make every 15 minutes since you reached the end of a session lifetime is not ideal.

An id_token is effectively a statement that the end user who hit the redirect_uri has an authenticated session at the OP,  for the RP to verify and then make a business decision whether to create its own session based on that statement. However, JWTs do not differentiate subject information, metadata, and security conditions from one another - they are all just uniquely named claims. So while you hope the names do a good job of conveying their audience (as it were) and purpose, the spec that defines them may still be required to interpret their purpose properly. I’d say using TLAs for claim names probably helps here - less room for people to make assumptions based on just a name.

So in isolation, one could read the name session_lifetime as completionism with auth_time, e.g. the OP saying "I authenticated the user ten minutes ago and will require them to re-authenticate in 230 minutes”.  Instead, it appears to be a condition for use, “you as the RP must not allow continued access for longer than 230 minutes based on this id_token”. 

> For those who are interested, there is a discussion on context #2 or
> "refresh_token_expires_in" at
> https://github.com/oauth-wg/oauth-v2-1/issues/187.

Thanks!

> 
> All the best,
> Andrii

-DW

More information about the Openid-specs-ab mailing list