[OpenID] “exp” Claim in Logout Token

[Thamindu Randil]

I'm working on the logout token validation for the federated identity provider initiated back-channel logout in an identity server. Currently I'm using an instance of the same identity server as the federated identity provider. The logout token I receive from the idp has an "exp" claim in the claim set. According to the OIDC Back-channel Logout Specification under the Security Considerations, it is stated that,

"OPs are encouraged to use short expiration times in Logout Tokens, preferably at most two minutes in the future, to prevent captured Logout Tokens from being replayable"

But in rfc8417, they state that it is not recommended to use an "exp" claim in SETs.

What is the recommendation for having an "exp" claim in the OIDC logout token ?

--

Best Regards,

Thamindu Randil

Undergraduate

Department of Computer Science & Engineering

University of Moratuwa