Description:
Part 4 - 7.41.6 IssuedIdentityToken states:
"IssuedIdentityTokens have an expiration time, and a Server shall invalidate the credentials of the Session within a configurable time after the token expires.
The Session shall stay valid with the Anonymous Role. Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption."

Part 6 - 6.5.3.2 Access Tokens states:
"If the Server allows for anonymous users, the Server may allow the Session to stay open but treat it as an anonymous user. If the Server does not allow anonymous users, it should close the Session immediately."

Part 4 - 7.41.5 X509IdentityTokens does not state anything about exipred tokens.

My expectation is that the behaviour for an expired X509IdentityToken and an expired IssuedIdentityToken should be the same.

Proposal:

• In Part 4 - 7.41.6 IssuedIdentityToken add:
  "If the Server does not allow anonymous users, it should close the Session immediately."

• In Part 4 - 7.41.5 X509IdentityTokens add the text as in section IssuedIdentityToken:
  X509IdentityTokens have an validity period and a Server shall invalidate the credentials of the Session within a configurable time after the token expires.
  The Session shall stay valid with the Anonymous Role. If the Server does not allow anonymous users, it should close the Session immediately.
  Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption.