4.1.4 Token Expiry and Renewal

Topic Version1Published10/31/2016
For StandardETP v1.1
  • If the iat claim is in the future at the time of the upgrade request, the server MUST reject the request.
  • If the exp claim is in the past at the time of the upgrade request (i.e., the token is already expired) the server MUST reject the request.
  • If the security token used to establish the session expires, the server MAY disconnect the session at any time. The server MUST NOT use a CloseSession message to do so. Before disconnecting the session, the server MUST send the EXPIRED_TOKEN ProtocolException.
  • Disconnection for this reason is considered an abnormal session termination, and the session survivability behaviors (as defined in this specification) MUST be observed. Observing these behaviors allows the client 1 hr. to reconnect the session with a valid token, without losing any session state.
  • Client is responsible to renew the token and pass the updated token to the server. Token renewal must be done in accordance with RFC6749, Section 6 (https://tools.ietf.org/html/rfc6749 ).
  • Server must authenticate the renewed token, and update and honor the new expiration date.