Clarify meaning of exp claim in ID Token
Issue #1002
resolved
Several people have requested that the meaning of the "exp" (expiration time) claim in the ID Token be clarified. The intended meaning was the ID Token cannnot be used to establish an authenticated session with the RP after the expiration time has passed. Some have been confused into thinking that "exp" also limits the authenticated session length, which it doesn't.
We probably owe it to people to clarify this. We can do it as an errata action since it is not a normative change. Here's a stab at a proposed change...
The first sentence currently says "Expiration time on or after which the ID Token MUST NOT be accepted for processing." I propose that we change this to "Expiration time on or after which the ID Token MUST NOT be accepted by the Relying Party when performing authentication."
Comments (4)
-
reporter
-
reporter
-
assigned issue to
Michael Jones
-
assigned issue to
-
The 'session management" draft also could use some clarification it seems, see for example http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20171120/006685.html
-
reporter
- changed status to resolved
- Log in to comment
John suggests that we add "from the OpenID Provider" to the wording. ... not intended to set limits on or be related to session lifetime. Phil suggests that we say somewhere that this is unrelated to session lifetime.