valid_from / valid_to

Brad Fitzpatrick brad at
Wed Jun 8 13:27:17 PDT 2005

On Wed, 8 Jun 2005, Paul Crowley wrote:

> Brad Fitzpatrick wrote:
> > # openid.valid_from = UTC date
> > # openid.valid_to = UTC date
> >
> > What are those in the spec?
> They define the validity period of the auth token according to the
> server clock.  The consumer should make the user re-authenticate when
> the token expires.  valid_from should be the creation date.
> defines how the consumer should conservatively track the server clock in
> ordre to interpret this expiry date.

I still don't get it.  The "auth_token" being the sig?  Or what?

Are you saying the server tells the consumer that the user is logged in
from now until 5 hours?  Why should either side care to share/trust that?

Uh, isn't that entirely up to the consumer to decide how their session
cookies and such work?

I understand the purpose of the secret_expiry stuff, but not this.

- Brad

More information about the yadis mailing list