[mitreid-connect] End Session and access tokens
Justin Richer
jricher at mit.edu
Tue Jun 27 08:41:11 EDT 2017
Yes, this is by design. The life of the access token is not tied to nor
indicative of the length of the session at the RP or at the IdP. It's
the ID Token that sets up the session at the RP, not the access token,
and even then the life of the ID Token is also separate from the life of
the session. And since the access token can be used for other resources
besides the UserInfo Endpoint, you don't want the access token to expire
on "log out" because the RP/client might still be calling APIs long
after the user has left.
-- Justin
On 6/26/2017 5:26 PM, Luiz Omori wrote:
>
> I played a bit with the new End Session endpoint and noticed that
> after calling it the previously acquired access token was still valid.
> Is this by design? I understand that the Rp can just discard it but
> still surprising that the access token was valid (per Introspection).
> Is this just to terminate the “behind the scenes” browser session?
>
> Regards,
>
> Luiz
>
>
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20170627/d99657be/attachment.html
More information about the mitreid-connect
mailing list