<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Thomas,<br>
    <br>
    I agree with your assessment: it's not a very good idea to treat the
    expiration of the ID token as a session management bound with no
    further mechanisms. <br>
    <br>
     -- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 2/22/2016 5:45 AM, Thomas Broyer
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAEayHENALuh1eN3gp2Oc2piWystF8qRPNyqZ1F5ogX_GxNRq0w@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <div dir="ltr">Reading this, I can't help but think back about a
        question I asked here that (AFAICT) never had an answer, but has
        now contradictory spec texts that reinforce the confusion.
        <div><br>
        </div>
        <div>OpenID Connect Session Management 1.0 – draft 26 says:</div>
        <div>> An ID Token typically comes with an expiration date.
          The RP MAY rely on it to expire the RP session.</div>
        <div>> However, it is entirely possible that the End-User
          might have logged out of the OP before the expiration</div>
        <div>> date. Therefore, it is highly desirable to be able to
          find out the login status of the End-User at the OP.</div>
        <div>— Source: <a moz-do-not-send="true"
href="https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification">https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification</a></div>
        <div><br>
        </div>
        <div>Health Relationship Trust Profile for OpenID Connect 1.0
          says:<br>
        </div>
        <div>> The ID Token MUST expire and SHOULD have an active
          lifetime no longer than five minutes.</div>
        <div>– Source: <a moz-do-not-send="true"
href="https://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html#rfc.section.2">https://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html#rfc.section.2</a></div>
        <div><br>
        </div>
        <div>I believe I had seen that last recommendation elsewhere in
          OpenID Connect specs (probably earlier drafts of the Core
          spec, back when it was split in several documents), and that
          was what motivated my question months ago (actually more like
          two years ago I believe) related to the Session Management
          draft.</div>
        <div><br>
        </div>
        <div>My interpretation is that Session Management actually is
          wrong recommending using the ID Token expiration as a baseline
          for session expiration. Can someone please confirm?</div>
        <div>(if you prefer I instead create an issue at BitBucket, I
          can do that too)</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Tue, Feb 16, 2016 at 2:40 AM Mike Jones <<a
            moz-do-not-send="true"
            href="mailto:Michael.Jones@microsoft.com"><a class="moz-txt-link-abbreviated" href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a></a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div link="#0563C1" vlink="#954F72" lang="EN-US">
            <div>
              <p class="MsoNormal"><span style="color:#002060">FYI</span></p>
              <p class="MsoNormal"><a moz-do-not-send="true"
                  name="msg-f:1526293396654599156__MailEndCompose"><span
                    style="color:#002060"> </span></a></p>
              <span></span>
              <div>
                <div style="border:none;border-top:solid #e1e1e1
                  1.0pt;padding:3.0pt 0in 0in 0in">
                  <p class="MsoNormal"><b>From:</b> Mike Jones <br>
                    <b>Sent:</b> Monday, February 15, 2016 5:39 PM<br>
                    <b>To:</b> <a moz-do-not-send="true"
                      href="mailto:openid-specs-heart@lists.openid.net"
                      target="_blank">openid-specs-heart@lists.openid.net</a><br>
                    <b>Subject:</b> HEART Implementer’s Drafts Approved
                  </p>
                </div>
              </div>
              <p class="MsoNormal"> </p>
              <p class="MsoNormal">The following notice was posted at <a
                  moz-do-not-send="true"
                  href="http://openid.net/2016/02/15/heart-implementers-drafts-approved/"
                  target="_blank">
<a class="moz-txt-link-freetext" href="http://openid.net/2016/02/15/heart-implementers-drafts-approved/">http://openid.net/2016/02/15/heart-implementers-drafts-approved/</a></a>:</p>
              <p class="MsoNormal"> </p>
              <p style="line-height:15.0pt"><b><span
style="font-size:14.0pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">HEART
                    Implementer’s Drafts Approved</span></b></p>
              <p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">The
                  OpenID Foundation members have approved of the
                  following specifications as OpenID Implementer’s
                  Drafts:</span></p>
              <p class="MsoNormal"
                style="margin-left:18.75pt;line-height:15.0pt">
                <span
                  style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
                      style="font:7.0pt "Times New Roman"">      
                    </span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Health
                  Relationship Trust Profile for OAuth 2.0</span></p>
              <p class="MsoNormal"
                style="margin-left:18.75pt;line-height:15.0pt">
                <span
                  style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
                      style="font:7.0pt "Times New Roman"">      
                    </span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Health
                  Relationship Trust Profile for OpenID Connect 1.0</span></p>
              <p class="MsoNormal"
                style="margin-left:18.75pt;line-height:15.0pt">
                <span
                  style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
                      style="font:7.0pt "Times New Roman"">      
                    </span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Health
                  Relationship Trust Profile for User Managed Access 1.0</span></p>
              <p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">An
                  Implementer’s Draft is a stable version of a
                  specification providing intellectual property
                  protections to implementers of the specification.</span></p>
              <p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">The
                  specifications are available at:</span></p>
              <p class="MsoNormal"
                style="margin-left:18.75pt;line-height:15.0pt">
                <span
                  style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
                      style="font:7.0pt "Times New Roman"">      
                    </span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a"><a
                    moz-do-not-send="true"
                    href="http://openid.net/specs/openid-heart-oauth2-1_0-ID1.html"
                    target="_blank"><a class="moz-txt-link-freetext" href="http://openid.net/specs/openid-heart-oauth2-1_0-ID1.html">http://openid.net/specs/openid-heart-oauth2-1_0-ID1.html</a></a></span></p>
              <p class="MsoNormal"
                style="margin-left:18.75pt;line-height:15.0pt">
                <span
                  style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
                      style="font:7.0pt "Times New Roman"">      
                    </span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a"><a
                    moz-do-not-send="true"
                    href="http://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html"
                    target="_blank"><a class="moz-txt-link-freetext" href="http://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html">http://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html</a></a></span></p>
              <p class="MsoNormal"
                style="margin-left:18.75pt;line-height:15.0pt">
                <span
                  style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
                      style="font:7.0pt "Times New Roman"">      
                    </span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a"><a
                    moz-do-not-send="true"
                    href="http://openid.net/specs/openid-heart-uma-1_0-ID1.html"
                    target="_blank"><a class="moz-txt-link-freetext" href="http://openid.net/specs/openid-heart-uma-1_0-ID1.html">http://openid.net/specs/openid-heart-uma-1_0-ID1.html</a></a></span></p>
              <p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">The
                  voting results were:</span></p>
              <p class="MsoNormal"
                style="margin-left:18.75pt;line-height:15.0pt">
                <span
                  style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
                      style="font:7.0pt "Times New Roman"">      
                    </span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Approve
                  – 34 votes</span></p>
              <p class="MsoNormal"
                style="margin-left:18.75pt;line-height:15.0pt">
                <span
                  style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
                      style="font:7.0pt "Times New Roman"">      
                    </span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Object
                  – 1 vote</span></p>
              <p class="MsoNormal"
                style="margin-left:18.75pt;line-height:15.0pt">
                <span
                  style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span
                      style="font:7.0pt "Times New Roman"">      
                    </span></span></span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Abstain
                  – 11 votes</span></p>
              <p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Total
                  votes: 46 (out of 204 members = 23% > 20% quorum
                  requirement)</span></p>
              <p style="line-height:15.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">—
                  Michael B. Jones – OpenID Foundation Board Secretary</span></p>
              <p class="MsoNormal"> </p>
            </div>
          </div>
          _______________________________________________<br>
          Openid-specs-ab mailing list<br>
          <a moz-do-not-send="true"
            href="mailto:Openid-specs-ab@lists.openid.net"
            target="_blank">Openid-specs-ab@lists.openid.net</a><br>
          <a moz-do-not-send="true"
            href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
            rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>