Killing time

Paul Crowley paul at
Fri Jul 8 14:55:48 PDT 2005

Just spoken to Brad about valid_to and other details of the protocol, 
and we've agreed that we should probably take out references to time in 
the token.  This is because consumers, by and large, can't honour 
valid_to and there's no point pretending they can.  Consumers will have 
their own ideas about what limits they can put on your authentication 
(eg "bind to IP address" or "until browser closes" or even "just this 
once) and since you can't make them honour whatever limits the server 
sets anyway, you might as well leave the limiting entirely to them.

In short, tokens should no longer contain openid.issued or 
openid.valid_to; replies to dumb mode requests will have an "is_valid" 
field instead of a "lifetime".

The authentication handle stuff will have lifespans just as before. 
(Brad, we didn't discuss this but it seems sensible, no?)

To address freshness concerns, we're recommending that consumers put 
hard-to-forge tokens in their return_to URL - eg the time, plus some MAC 
of the time - and check them on return.  Then you can be sure that the 
auth token was generated after you generated that return_to URL.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list