Unbind authentication event lifetime from userinfo response

IdentityPython / idpy-oidc

Implementation of everything OIDC and OAuth2

Apache License 2.0

40 stars 22 forks source link

Unbind authentication event lifetime from userinfo response #72

Closed ctriant closed 1 year ago

ctriant commented 1 year ago

This MR unbinds the authentication event lifetime validation from the userinfo response. The userinfo endpoint should only consider the provided token, that must fulfill the following criteria:

the token is an access-token
the access-token is valid (not expired or revoked)
the access-token includes the openid scope

ctriant commented 1 year ago

@c00kiemon5ter @rohe