[Openid-specs-ab] Session Management Spec

Nat Sakimura sakimura at gmail.com
Mon Jul 30 06:30:20 UTC 2012

Ok. img I think I can draft as one of NRI's implementation uses it.
Having said that, a concrete outline from the WG members are welcome.
I will give a week before I start (I am travelling for IETF 84 this week so...)


On Mon, Jul 30, 2012 at 3:09 PM, Torsten Lodderstedt
<torsten at lodderstedt.net> wrote:
> Hi Nat,
> according to my notes, we concluded as follows:
> - the iframe approach will be the default approach
> - there might be older browsers in the field, which do not support the
> required HTML methods (postMessage namely? anything else?). So we need a
> fallback for those. We discussed the following variants of the
> redirect-based approach:
>  - iFrame: load RP's logout URL within iframe - this may cause problems
> regarding update and deletion of cookies due to p3p policies
>  - img: usage of img tags refering to the RP's logout URL worked best. Open
> question is return code transmission
>  - JSONP: no one so far gathered experiences regarding JSONP and logout
> propagation
> Since img seemed to be the less problematic approach we decided to go with
> it.
> I'm not tight to the redirect approach if we are sure that it will work
> reliably for all kinds of browsers.
> best regards,
> Torsten.
> Am 30.07.2012 05:50, schrieb Nat Sakimura:
>> OK. That did not appear legibly on the Whiteboard photos.
>> It was around next url I think, but I also remember that is not
>> reliable, bad user experience, etc., and I am not sure what was the
>> end result. Could you kindly forward what you remember to the list? I
>> may include it in the next rev.
>> =nat
>> On Sun, Jul 29, 2012 at 6:42 AM, Torsten Lodderstedt
>> <torsten at lodderstedt.net> wrote:
>>> Hi Nat,
>>> thanks for preparing this spec.
>>> At IIW, we also talked about supporting logout propagation via HTTP
>>> redirects, mainly to support older browsers. What happend to this option?
>>> best regards,
>>> Torsten.
>>> Am 28.06.2012 07:50, schrieb Nat Sakimura:
>>> Since I did not receive any additional comments,
>>> I have committed it to the working repository (bitbucket).
>>> HTML version is here:
>>> http://openid.bitbucket.org/openid-connect-session-1_0.html
>>> With it, I would like to ask the working group to consider adding the
>>> following two items int eh OP Configuration file.
>>> OP iframe URL The URL from which OP iframe is being loaded. This URL
>>> provides a page that accepts postMessage from the relevant RP iframe and
>>> postMessage back the login status of the user at the OP. OP Logout
>>> endpoint
>>> URL The URL that initiate the user logout at the OP.
>>> The name for the each variable could be something like:
>>> op_session_iframe_url
>>>    and
>>> op_logout_url
>>> Best,
>>> --
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura (=nat)
Chairman, OpenID Foundation

More information about the Openid-specs-ab mailing list