{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 男人必须洒脱 的问题《OpenID Connection session management - can ID toke》','https://www.manongdao.com/q-684134.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In OpenID Connect, the ID token is a cryptographically signed, self-contained token which allows resource owners to authorize access without a call to the authorization server. So, if the Authorization server isn't necessary to validate the token, how can it be revoked in a session management scenario? It seems like the only thing that can be revoked is the refresh token at which point the ID token would just expire and the user would have to reauthenticate. Is this correct? Also, does it even make sense for OpenID Connect Provider/Server to store the token at all as it hands it off?
相关问题
- How to verify laravel passport api token in node /
- Obtaining Refresh Token from lepture/Authlib throu
- Oidc client js: silent access token renew breaks b
- Angular 6 change component if user is logged in
- “Invalid_grant” response when use Twinfield Openid
相关文章
- .NET Framework MVC and Web Api Auth JWT
- Facebook Login With WP JWT Auth
- Angular 5 HTTP Client has “Authorization” missing
- React - How to check if JWT is valid before sendin
- Didn't find publicKey for kid ,Keycloak?
- How to set Claims from ASP.Net OpenID Connect OWIN
- How to get Bearer token from a request in Laravel
- JWT/LARAVEL token expired
The
id_tokencannot be explicitly revoked because of the reasons that you mention: it is self-contained and can be used without dependency on the Provider. However, a typical usage in web applications is to use theid_tokenupon receipt to create an application session, store the relevant information from theid_tokenin the session and then to discard theid_tokenitself. That application session can be terminated upon request from the Provider by implementing the OpenID Connect Session Management extension, see: https://openid.net/specs/openid-connect-session-1_0.html. In this web SSO use case theid_tokenlifetime would be limited since it is one-time usage only.