- edited description
Expiration of Logout Tokens for Back-Channel Logout: exp claim not mentioned in spec
Hi there,
in section 4 (https://openid.net/specs/openid-connect-backchannel-1_0.html#Security ) I read the following:
“OPs are encouraged to use short expiration times in Logout Tokens, preferably at most two minutes in the future, to prevent captured Logout Tokens from being replayable.”
However, section 2.4 (https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken ) does not mention anything with regards to a required exp claim in the Logout Token. The only - in my view rather vague - statement which might match is:
“Logout Tokens MAY contain other Claims.”
Could you please clarify if an exp claim ought to be there?
Many thanks and kind regards,
Michael
Comments (9)
-
reporter -
I believe it makes sense for an “exp” claim to be there. That said, the logout specs are now final specifications, so we’re not able to change them in normative ways.
-
We noticed during the 20-Oct-22 call that the examples don’t include “exp” either. However, for a JWT, it’s obvious that that’s how you’d achieve expiration.
-
- changed status to open
-
reporter Yes, you are right. And I absolutely agree that an exp claim makes a lot of sense here.
It is just a pity that it cannot be added as a required claim to the now finalized spec.
As a result, there may be (compliant) OpenID Providers which do not restrict the Logout Token lifetime. From my perspective as a Relying Party, I would never accept Logout Tokens without any expiration. Thus I see the need to add yet another configuration switch to enable an Administrator to control how to handle the case if the exp claim is absent, e.g., to a) reject the token altogether or b) accept the token for n minutes after its issuance.
-
- changed milestone to Errata
Actually, thinking about this more, given that the Security Considerations recommend using expiring logout tokens and even suggests two minutes as the period, an argument could be made for adding “exp” to the normative text as an errata action to enable the Security Consideration to be actionable. We should talk about this on a future call.
-
-
assigned issue to
-
assigned issue to
-
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/537
-
- changed status to resolved
Fixed
#1664: Added exp claim to Logout Token→ <<cset 940485be4a8f>>
- Log in to comment