Per the OpenID Connect Session Management draft spec section 4:
An ID Token typically comes with an expiration date. The RP MAY rely on it to expire the RP session. However, it is entirely possible that the End-User might have logged out of the OP before the expiration date. Therefore, it is highly desirable to be able to find out the login status of the End-User at the OP.
This could be read a few ways (see also the discussion in #6742 ): * that the expiration date should be an upper bound on session lifespan, but other options to end the session sooner are provided in the session management spec * that respecting the expiration date is optional entirely
Having support for limiting the session lifespan to the expiration of the identity token would be greatly appreciated. This is analogous to SAML2's sessionNotOnOrAfter in an AuthnStatement, in being a way for identity providers to set an upper bound for session duration in a connected application without verifying that the user's session is still active at the identity provider
Comment From: jvanheesch
Please note that the spring security reference demonstrates RestTemplate bearer token propagation using SecurityContextHolder.getContext().getAuthentication(). If the accessToken is expired and the security context is not refreshed, this approach breaks.
Comment From: dalbani
Are there any news to share regarding this functionality? Is there a way to help getting things moving forward?
@hauntingEcho: I'm curious, did you implement your own custom solution in the meantime?
Comment From: hauntingEcho
@dalbani actually I moved to a dotnet position a few months after opening this ticket, and have not worked with Spring since
Comment From: PoemDaga
We are also looking forward to this feature. Any leads on how to customise this for now?