<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thomas,<br>
<br>
I agree with your assessment: it's not a very good idea to treat the
expiration of the ID token as a session management bound with no
further mechanisms. <br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 2/22/2016 5:45 AM, Thomas Broyer
wrote:<br>
</div>
<blockquote
cite="mid:CAEayHENALuh1eN3gp2Oc2piWystF8qRPNyqZ1F5ogX_GxNRq0w@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr">Reading this, I can't help but think back about a
question I asked here that (AFAICT) never had an answer, but has
now contradictory spec texts that reinforce the confusion.
<div><br>
</div>
<div>OpenID Connect Session Management 1.0 – draft 26 says:</div>
<div>> An ID Token typically comes with an expiration date.
The RP MAY rely on it to expire the RP session.</div>
<div>> However, it is entirely possible that the End-User
might have logged out of the OP before the expiration</div>
<div>> date. Therefore, it is highly desirable to be able to
find out the login status of the End-User at the OP.</div>
<div>— Source: <a moz-do-not-send="true"
href="https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification">https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification</a></div>
<div><br>
</div>
<div>Health Relationship Trust Profile for OpenID Connect 1.0
says:<br>
</div>
<div>> The ID Token MUST expire and SHOULD have an active
lifetime no longer than five minutes.</div>
<div>– Source: <a moz-do-not-send="true"
href="https://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html#rfc.section.2">https://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html#rfc.section.2</a></div>
<div><br>
</div>
<div>I believe I had seen that last recommendation elsewhere in
OpenID Connect specs (probably earlier drafts of the Core
spec, back when it was split in several documents), and that
was what motivated my question months ago (actually more like
two years ago I believe) related to the Session Management
draft.</div>
<div><br>
</div>
<div>My interpretation is that Session Management actually is
wrong recommending using the ID Token expiration as a baseline
for session expiration. Can someone please confirm?</div>
<div>(if you prefer I instead create an issue at BitBucket, I
can do that too)</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Feb 16, 2016 at 2:40 AM Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com"><a class="moz-txt-link-abbreviated" href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a></a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="#0563C1" vlink="#954F72" lang="EN-US">
<div>
<p class="MsoNormal"><span style="color:#002060">FYI</span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="msg-f:1526293396654599156__MailEndCompose"><span
style="color:#002060"> </span></a></p>
<span></span>
<div>
<div style="border:none;border-top:solid #e1e1e1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Mike Jones <br>
<b>Sent:</b> Monday, February 15, 2016 5:39 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:openid-specs-heart@lists.openid.net"
target="_blank">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> HEART Implementer’s Drafts Approved
</p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The following notice was posted at <a
moz-do-not-send="true"
href="http://openid.net/2016/02/15/heart-implementers-drafts-approved/"
target="_blank">
<a class="moz-txt-link-freetext" href="http://openid.net/2016/02/15/heart-implementers-drafts-approved/">http://openid.net/2016/02/15/heart-implementers-drafts-approved/</a></a>:</p>
<p class="MsoNormal"> </p>
<p style="line-height:15.0pt"><b><span
style="font-size:14.0pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">HEART
Implementer’s Drafts Approved</span></b></p>
<p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">The
OpenID Foundation members have approved of the
following specifications as OpenID Implementer’s
Drafts:</span></p>
<p class="MsoNormal"
style="margin-left:18.75pt;line-height:15.0pt">
<span
style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Health
Relationship Trust Profile for OAuth 2.0</span></p>
<p class="MsoNormal"
style="margin-left:18.75pt;line-height:15.0pt">
<span
style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Health
Relationship Trust Profile for OpenID Connect 1.0</span></p>
<p class="MsoNormal"
style="margin-left:18.75pt;line-height:15.0pt">
<span
style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Health
Relationship Trust Profile for User Managed Access 1.0</span></p>
<p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">An
Implementer’s Draft is a stable version of a
specification providing intellectual property
protections to implementers of the specification.</span></p>
<p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">The
specifications are available at:</span></p>
<p class="MsoNormal"
style="margin-left:18.75pt;line-height:15.0pt">
<span
style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a"><a
moz-do-not-send="true"
href="http://openid.net/specs/openid-heart-oauth2-1_0-ID1.html"
target="_blank"><a class="moz-txt-link-freetext" href="http://openid.net/specs/openid-heart-oauth2-1_0-ID1.html">http://openid.net/specs/openid-heart-oauth2-1_0-ID1.html</a></a></span></p>
<p class="MsoNormal"
style="margin-left:18.75pt;line-height:15.0pt">
<span
style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a"><a
moz-do-not-send="true"
href="http://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html"
target="_blank"><a class="moz-txt-link-freetext" href="http://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html">http://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html</a></a></span></p>
<p class="MsoNormal"
style="margin-left:18.75pt;line-height:15.0pt">
<span
style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a"><a
moz-do-not-send="true"
href="http://openid.net/specs/openid-heart-uma-1_0-ID1.html"
target="_blank"><a class="moz-txt-link-freetext" href="http://openid.net/specs/openid-heart-uma-1_0-ID1.html">http://openid.net/specs/openid-heart-uma-1_0-ID1.html</a></a></span></p>
<p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">The
voting results were:</span></p>
<p class="MsoNormal"
style="margin-left:18.75pt;line-height:15.0pt">
<span
style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Approve
– 34 votes</span></p>
<p class="MsoNormal"
style="margin-left:18.75pt;line-height:15.0pt">
<span
style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Object
– 1 vote</span></p>
<p class="MsoNormal"
style="margin-left:18.75pt;line-height:15.0pt">
<span
style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Abstain
– 11 votes</span></p>
<p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Total
votes: 46 (out of 204 members = 23% > 20% quorum
requirement)</span></p>
<p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">—
Michael B. Jones – OpenID Foundation Board Secretary</span></p>
<p class="MsoNormal"> </p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>