Security/Guidelines/OpenID Connect: Difference between revisions

Jump to navigation Jump to search

Security/Guidelines/OpenID Connect (view source)

Revision as of 02:07, 12 November 2016

22 bytes added ,  12 November 2016
→‎Session handling
Line 128: Line 128:




* '''Should''' provide a 'logout' URL, which the OpenID Connect Provider (OP) can call to indicate if a user has logged out (so that you log the user out as well).
* '''Should''' provide a <code>logout</code> URL, which the OpenID Connect Provider (OP) can call to indicate if a user has logged out (so that you log the user out as well).
* '''Must''' expire the user session when the ID token expires or sooner (the expiration time is generally a UNIX timestamp attribute named 'exp').
* '''Must''' expire the user session when the ID token expires or sooner (the expiration time is generally a UNIX timestamp attribute named <code>exp</code>).
* If the user's session is longer than '''15 minutes''', '''must''' re-check/introspect the ID token every ''15 minutes'' or next user request (whichever comes first), to ensure that the user is still valid and has correct permissions.
* If the user's session is longer than '''15 minutes''', '''must''' re-check/introspect the ID token every ''15 minutes'' or next user request (whichever comes first), to ensure that the user is still valid and has correct permissions.
** This ensures that access is revoked within ''15 minutes'' in the event that the user's account is disabled by the OpenID Connect Provider (OP).
** This ensures that access is revoked within ''15 minutes'' in the event that the user's account is disabled by the OpenID Connect Provider (OP).
Gdestuynder
Confirmed users
502

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1154462"

Navigation menu