OpenID Connect Session Management 1.0 - definition of exp of an ID token
Танги Ле Пенс
tangui.lepense at mail.ru
Mon Mar 25 14:24:31 UTC 2019
Hello,
In
https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
it is written that:
An ID Token typically comes with an expiration date. The RP MAY rely on
it to
expire the RP session. However, it is entirely possible that the
End-User might
have logged out of the OP before the expiration date. Therefore, it is
highly
desirable to be able to find out the login status of the End-User at the OP
This is misleading in my opinion, because it sounds like the 'exp' value is
be the duration of the subject's session on the OP, which is not according
to the OpenID Connect core specification:
exp
REQUIRED. Expiration time on or after which the ID Token MUST NOT
be accepted for processing.
An ID Token could have a 2-minute lifetime (time to open a cookie session
on the RP) and the subject's session still be valid on the OP.
I'd suggest rewording this paragraph.
Cheers,
Tangui
More information about the specs
mailing list