Clarify meaning of exp claim in ID Token

Issue #1002 resolved
Michael Jones created an issue

Several people have requested that the meaning of the "exp" (expiration time) claim in the ID Token be clarified. The intended meaning was the ID Token cannnot be used to establish an authenticated session with the RP after the expiration time has passed. Some have been confused into thinking that "exp" also limits the authenticated session length, which it doesn't.

We probably owe it to people to clarify this. We can do it as an errata action since it is not a normative change. Here's a stab at a proposed change...

The first sentence currently says "Expiration time on or after which the ID Token MUST NOT be accepted for processing." I propose that we change this to "Expiration time on or after which the ID Token MUST NOT be accepted by the Relying Party when performing authentication."

Comments (4)

  1. Michael Jones reporter

    John suggests that we add "from the OpenID Provider" to the wording. ... not intended to set limits on or be related to session lifetime. Phil suggests that we say somewhere that this is unrelated to session lifetime.

  2. Log in to comment