valid_from / valid_to
brad at danga.com
Wed Jun 8 13:27:17 PDT 2005
On Wed, 8 Jun 2005, Paul Crowley wrote:
> Brad Fitzpatrick wrote:
> > # openid.valid_from = UTC date
> > # openid.valid_to = UTC date
> > What are those in the spec?
> They define the validity period of the auth token according to the
> server clock. The consumer should make the user re-authenticate when
> the token expires. valid_from should be the creation date.
> defines how the consumer should conservatively track the server clock in
> ordre to interpret this expiry date.
I still don't get it. The "auth_token" being the sig? Or what?
Are you saying the server tells the consumer that the user is logged in
from now until 5 hours? Why should either side care to share/trust that?
Uh, isn't that entirely up to the consumer to decide how their session
cookies and such work?
I understand the purpose of the secret_expiry stuff, but not this.
More information about the yadis