AWS verified-access documentation change
Summary
Clarified session duration rules for Verified Access trust providers, including refresh token handling
Security assessment
Documents security-related session management behavior (using refresh token expiration for session duration). While this relates to security features, there is no evidence of addressing a specific vulnerability. The change improves documentation of existing security controls.
Diff
diff --git a/verified-access/latest/ug/user-trust.md b/verified-access/latest/ug/user-trust.md index ef67267b0..8040e7431 100644 --- a//verified-access/latest/ug/user-trust.md +++ b//verified-access/latest/ug/user-trust.md @@ -105 +105,3 @@ With trust providers created on or before February 24, 2025, Verified Access doe -The session duration for an OIDC trust provider is 1 day or the expiration time in the access token, whichever is shorter. With trust providers created before February 24, 2025, the session duration is 7 days. +With trust providers created on or before February 24, 2025, the default session duration is one day. With trust providers created before February 24, 2025, the default session duration is seven days. + +If a refresh token is specified, Verified Access uses the expiration of the refresh token as the session duration. If there is no refresh token, the default session duration is used.