View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
001012610000-004: ServicesSpecpublic2025-01-30 14:042025-03-10 16:44
ReporterMatthias Isele Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version1.05.04 
Summary0010126: Behaviour of expired UserTokens not consistent
Description

Description:
Part 4 - 7.41.6 IssuedIdentityToken states:
"IssuedIdentityTokens have an expiration time, and a Server shall invalidate the credentials of the Session within a configurable time after the token expires.
The Session shall stay valid with the Anonymous Role. Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption."

Part 6 - 6.5.3.2 Access Tokens states:
"If the Server allows for anonymous users, the Server may allow the Session to stay open but treat it as an anonymous user. If the Server does not allow anonymous users, it should close the Session immediately."

Part 4 - 7.41.5 X509IdentityTokens does not state anything about exipred tokens.

My expectation is that the behaviour for an expired X509IdentityToken and an expired IssuedIdentityToken should be the same.

Proposal:

  • In Part 4 - 7.41.6 IssuedIdentityToken add:
    "If the Server does not allow anonymous users, it should close the Session immediately."

  • In Part 4 - 7.41.5 X509IdentityTokens add the text as in section IssuedIdentityToken:
    X509IdentityTokens have an validity period and a Server shall invalidate the credentials of the Session within a configurable time after the token expires.
    The Session shall stay valid with the Anonymous Role. If the Server does not allow anonymous users, it should close the Session immediately.
    Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption.

TagsNo tags attached.
Commit Version1.05.06 RC1
Fix Due Date2025-04-30

Activities

Jim Luth

2025-02-25 17:39

administrator   ~0022409

try to apply the proposed changes;

Matthias Damm

2025-03-10 16:44

developer   ~0022493

Added to 7.41.6 IssuedIdentityToken:
If the Server does not allow anonymous users, it should close the Session.

Added to 7.41.5 X509IdentityTokens:
X509IdentityTokens have an validity period and a Server shall invalidate the credentials of the Session within a configurable time after the token expires. The Session shall stay valid with the Anonymous Role. If the Server does not allow anonymous users, it should close the Session. Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption.

Issue History

Date Modified Username Field Change
2025-01-30 14:04 Matthias Isele New Issue
2025-02-25 17:38 Jim Luth Assigned To => Matthias Damm
2025-02-25 17:38 Jim Luth Status new => assigned
2025-02-25 17:39 Jim Luth Note Added: 0022409
2025-02-25 17:39 Jim Luth Commit Version => 1.05.06 RC1
2025-02-25 17:39 Jim Luth Fix Due Date => 2025-04-30
2025-03-10 16:44 Matthias Damm Status assigned => resolved
2025-03-10 16:44 Matthias Damm Resolution open => fixed
2025-03-10 16:44 Matthias Damm Note Added: 0022493