valid_from / valid_to
Paul Crowley
paul at ciphergoth.org
Wed Jun 8 13:46:19 PDT 2005
Brad Fitzpatrick wrote:
> Are you saying the server tells the consumer that the user is logged in
> from now until 5 hours? Why should either side care to share/trust that?
The consumer can impose a shorter limit if they so choose, but they
shouldn't use a longer one. The server says that this token is only
valid for so long, so the consumer shouldn't honour it for longer than
that. The token should be honoured until whichever is soonest of
* the server secret expiry time
* the token expiry time, as interpreted according to the server secret
offset
* the consumer's own limits on how long the token should be trusted.
The "auth token" is the combination of the thing that signed and the
signature: it's the thing that the UA presents to the consumer to prove
identity.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list