<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hi everyone,</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I started implementing OpenID Connect Core 1.0 (Basic profile) and was now looking at OpenID Connect Session 1.0.</div>
<div style="font-family:arial,sans-serif;font-size:13px">There, it says that (section 4):</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"> <span style="font-family:verdana,charcoal,helvetica,arial,sans-serif">An ID Token typically comes with an expiration date. The RP MAY rely</span></div>
<div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif"> on it to </span><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif">expire the RP session.</span></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">This is not at all what I expected after reading the other specs (Core, Messages).</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">In Core, "exp" is defined as (section 2):</font></div><div style="font-family:arial,sans-serif;font-size:13px">
<font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"> </font><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif">Expiration time on or after which the ID Token MUST NOT be accepted</span></div>
<div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif"> for processing.</span></div><div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif"><br>
</span></div><div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif">So my understanding (and what I implemented) was that I could (should?) give a very short lifetime to the ID Token, given that it's only processed/validated upon reception from the Token Endpoint. Currently, my ID Tokens expire after 10 minutes (for comparison, my Authorization Codes are only valid for 1 minute).</span></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">I thus searched what I could have missed, and found, in Core, section 3:</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"> The Authentication result is returned in an ID Token, as defined in</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"> Section 2. It has</font><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif"> Claims expressing such information as the Issuer,</span></div>
<div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif"> the Subject Identifier, when the</span><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif"> authentication expires, etc.</span></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">OK, so maybe the "exp" of the ID Token is the expected "end of the session" (more on that later). You'll note that it's just a small note lost in the middle of a big spec. If "exp" is to be used for any other purpose than validating the ID Token, then it should be called out more prominently.</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">Also, the example in section 3.1.3.3 actually conflicts with this definition: the ID Token expires after 1000 seconds only (while the access token expires after 3600 seconds).</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">Now, about what the "end of the session" means. Currently, I issue access tokens that expire after 1 hour. Because I exclusively use the authorization_code flow (and refresh_token flow), RPs have to go through the whole dance every hour at most to ask for another access token; so should the "end of the session" the same as the expiration of the access token? Actually, for RPs that only need federated authentication but won't actually use the access token, the "end of session" could be the same as the session I maintain on the OP, that lasts for several hours.</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">So, could someone make it clear what's the expected "exp" value for the ID Token returned by the Token Endpoint? (in the case of authorization_code flow) Should it be short because it's only useful for validating the ID Token upon reception? Should it be the same as the access token expiration? (at least for the case where offline_access has not been granted) Or should it be the same as the session maintained on the OP? (that could last for hours, and with "remember me" could even last for days)</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">Or should the Session spec simply just not make any claim about the ID Token expiration being related to the session expiration?</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">Thanks in advance.</font></div>
<br clear="all"><div><br></div>-- <br>Thomas Broyer<br>/t<a href="http://xn--nna.ma.xn--bwa-xxb.je/">ɔ.ma.bʁwa.je/</a>
</div>