valid_from / valid_to

Paul Crowley paul at
Wed Jun 8 13:46:19 PDT 2005

Brad Fitzpatrick wrote:
> Are you saying the server tells the consumer that the user is logged in
> from now until 5 hours?  Why should either side care to share/trust that?

The consumer can impose a shorter limit if they so choose, but they 
shouldn't use a longer one.  The server says that this token is only 
valid for so long, so the consumer shouldn't honour it for longer than 
that.   The token should be honoured until whichever is soonest of

* the server secret expiry time
* the token expiry time, as interpreted according to the server secret 
* the consumer's own limits on how long the token should be trusted.

The "auth token" is the combination of the thing that signed and the 
signature: it's the thing that the UA presents to the consumer to prove 
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list