openid connect - Why is the IdentityTokenLifetime default to 300 sec? -
maybe should ask intended use of identity token is. thought used identify user , can passed other services (e.g. backend services) , services use id_token validate valid user? don't see current available endpoint validate id_token. if not, should passed 1 service service validate user?
the end point takes id_token parameter end session endpoint passed id_token_hint. in case, why identitytokenlifetime default 300 sec only? don't expect user end session in 300 sec.
the identity token one-time token.
it contains identity of user , authentication metadata. once token validated, (in theory) deleted. pick out claims interested in.
the situation want keep identity token around special features during sign-out.
the identity token never passed around. that's access token for.
Comments
Post a Comment