[Openid-specs-ab] Session Management Spec

Torsten Lodderstedt torsten at lodderstedt.net
Mon Jul 30 06:09:45 UTC 2012

Hi Nat,

according to my notes, we concluded as follows:
- the iframe approach will be the default approach
- there might be older browsers in the field, which do not support the 
required HTML methods (postMessage namely? anything else?). So we need a 
fallback for those. We discussed the following variants of the 
redirect-based approach:
  - iFrame: load RP's logout URL within iframe - this may cause problems 
regarding update and deletion of cookies due to p3p policies
  - img: usage of img tags refering to the RP's logout URL worked best. 
Open question is return code transmission
  - JSONP: no one so far gathered experiences regarding JSONP and logout 

Since img seemed to be the less problematic approach we decided to go 
with it.

I'm not tight to the redirect approach if we are sure that it will work 
reliably for all kinds of browsers.

best regards,

Am 30.07.2012 05:50, schrieb Nat Sakimura:
> OK. That did not appear legibly on the Whiteboard photos.
> It was around next url I think, but I also remember that is not
> reliable, bad user experience, etc., and I am not sure what was the
> end result. Could you kindly forward what you remember to the list? I
> may include it in the next rev.
> =nat
> On Sun, Jul 29, 2012 at 6:42 AM, Torsten Lodderstedt
> <torsten at lodderstedt.net> wrote:
>> Hi Nat,
>> thanks for preparing this spec.
>> At IIW, we also talked about supporting logout propagation via HTTP
>> redirects, mainly to support older browsers. What happend to this 
>> option?
>> best regards,
>> Torsten.
>> Am 28.06.2012 07:50, schrieb Nat Sakimura:
>> Since I did not receive any additional comments,
>> I have committed it to the working repository (bitbucket).
>> HTML version is here:
>> http://openid.bitbucket.org/openid-connect-session-1_0.html
>> With it, I would like to ask the working group to consider adding 
>> the
>> following two items int eh OP Configuration file.
>> OP iframe URL The URL from which OP iframe is being loaded. This URL
>> provides a page that accepts postMessage from the relevant RP iframe 
>> and
>> postMessage back the login status of the user at the OP. OP Logout 
>> endpoint
>> URL The URL that initiate the user logout at the OP.
>> The name for the each variable could be something like:
>> op_session_iframe_url
>>    and
>> op_logout_url
>> Best,
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list