<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Helvetica, Arial, sans-serif">Whether the idToken has
value after the initial authentication flow is dependent on how
the Issuer intends the id_token to be used. <br>
<br>
As Justin states, there is no corollary between the id_token
expiry and the expiry of the session at the AS. Obviously the
session could be terminated and the id_token still be valid. If
the RT is tied to the session of the user at the AS then you can
use the refresh_token grant to determine when the RT becomes
invalidated (via some polling scheme). Of course this only works
if the AS binds the RT to a session. Otherwise, the RP must rely
on the AS to implement one of the forms of "session logout" and
rely on that to know the session has expired.<br>
<br>
Thanks,<br>
George<br>
<br>
P.S. </font><font face="Helvetica, Arial, sans-serif"><font
face="Helvetica, Arial, sans-serif">I'm not sure I go so far as
to say that the id_token "SHOULD" be very short lived but that's
for a different discussion:)<br>
<br>
</font></font>
<div class="moz-cite-prefix">On 11/21/17 11:59 AM, Sergey Beryozkin
via Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d812f880-38e6-46ee-892c-42a2ebae96e6@gmail.com">Hi
Justin,
<br>
<br>
Thanks, we've had some doubts re what to do when IdToken expires,
though indeed, my colleagues do not think tying the id token
lifetime to the RP session one was needed.
<br>
<br>
What would be the recommended action for the RP to take when it
sees IdToken expiring. Does it really have any practical value,
the IdToken expiry time ?
<br>
<br>
Thanks, Sergey
<br>
On 21/11/17 16:50, Justin Richer wrote:
<br>
<blockquote type="cite">No, that’s not reasonable to assume. The
ID Token should be very short lived in practice, as it’s really
just a message from the IdP to the RP saying “this is the person
logging in”. It doesn’t need to live long to be processed. The
RP should take over its session management on its own after
that, and it shouldn’t base its session life on the assertion
lifetime.
<br>
<br>
— Justin
<br>
<br>
<blockquote type="cite">On Nov 12, 2017, at 6:48 AM, Sergey
Beryozkin via Openid-specs-ab
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net"><openid-specs-ab@lists.openid.net></a> wrote:
<br>
<br>
Hi All
<br>
<br>
Is it reasonable/correct to assume that the expiry time of
IdToken should be the expiry time of the OIDC RP session as
well ?
<br>
<br>
Thanks, Sergey
<br>
_______________________________________________
<br>
Openid-specs-ab mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
<br>
</blockquote>
<br>
</blockquote>
_______________________________________________
<br>
Openid-specs-ab mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
<br>
</blockquote>
<br>
</body>
</html>