1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Expiration of Logout Tokens for Back-Channel Logout: exp claim not mentioned in spec

Issue #1664 resolved
Michael Engler created an issue

Hi there,

in section 4 (https://openid.net/specs/openid-connect-backchannel-1_0.html#Security ) I read the following:

“OPs are encouraged to use short expiration times in Logout Tokens, preferably at most two minutes in the future, to prevent captured Logout Tokens from being replayable.”

However, section 2.4 (https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken ) does not mention anything with regards to a required exp claim in the Logout Token. The only - in my view rather vague - statement which might match is:

“Logout Tokens MAY contain other Claims.”

Could you please clarify if an exp claim ought to be there? 

Many thanks and kind regards, 

Michael

Comments (9)

  2. Michael Jones

    I believe it makes sense for an “exp” claim to be there. That said, the logout specs are now final specifications, so we’re not able to change them in normative ways.

  3. Michael Jones

    We noticed during the 20-Oct-22 call that the examples don’t include “exp” either. However, for a JWT, it’s obvious that that’s how you’d achieve expiration.

  5. Michael Engler reporter

    Yes, you are right. And I absolutely agree that an exp claim makes a lot of sense here.

    It is just a pity that it cannot be added as a required claim to the now finalized spec.

    As a result, there may be (compliant) OpenID Providers which do not restrict the Logout Token lifetime. From my perspective as a Relying Party, I would never accept Logout Tokens without any expiration. Thus I see the need to add yet another configuration switch to enable an Administrator to control how to handle the case if the exp claim is absent, e.g., to a) reject the token altogether or b) accept the token for n minutes after its issuance.

  6. Michael Jones

    Actually, thinking about this more, given that the Security Considerations recommend using expiring logout tokens and even suggests two minutes as the period, an argument could be made for adding “exp” to the normative text as an errata action to enable the Security Consideration to be actionable. We should talk about this on a future call.

  10. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Logout
Milestone
Errata
Version
Votes
0
Watchers
3
Jira Software: the preferred issue tracker for Bitbucket. Join the team!