[Openid-specs-ab] Spec call notes 20-Jan-14

Mike Jones Michael.Jones at microsoft.com
Tue Jan 21 00:31:14 UTC 2014


Spec call notes 20-Jan-14

John Bradley
Mike Jones
Tim Bray
Nat Sakimura
Todd Lainhart - Rational software at IBM
               Building OpenSSO server based on Connect
               Interfacing with WebSphere people who are also interested in Connect
Brian Campbell
Edmund Jay
Naveen Agarwal

Agenda:
               Potential changes to session management for multiple logins
               Open Issues
               Session State

Potential changes to session management for multiple logins:
               Naveen opened the discussion by sharing some of his/Google's thoughts
               Google believes that signing out on relying party doesn't make a lot of sense in consumer use cases
               Google would like to see switch user options for multiple logins
               IdPs can decide whether to support a global logout
               Switch user kills local cookies, but leaves user signed into IdP
               Google has an authorization endpoint parameter to force showing the Account Chooser
                              A different prompt parameter
                              John & Brian pointed out the select_account parameter
                              This may be what Google is already using
               Google's logout widget currently just deletes their local cookies
                              It doesn't use any endpoints
               Naveen thinks that the current logout interfaces will work fine for IdPs that support global logout
               IBM had proprietary extensions to OAuth 2.0 for logout
                              The IdP would send logout messages to registered RPs
               IBM has switched to OpenID Connect
                              They still have the server side notifications in place for now
               Edmund's PHP and Scala implementations both implement session management
               No one appears to be proposing changes, at least on the call

Open Issues:
               #914: Session 5 - Missing client_id parameter
                              People seem to be in favor of including this parameter
                              Some said that the RP may not still have access to the ID Token
                              Todd asked whether any state can be round tripped across a logout
                                             We don't support that directly
                                             Registering multiple post-logout pages can be used to pass some state
                              We would need to add security considerations about the client_id being spoofable

Session State:
               There was a discussion of the Session State computation
                              It's not clear how to determine the client origin
                              It might be the same hostname as the redirect_uri, but that's not always true
               We may need to register the client origin explicitly
               Todd will file an issue about this
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140121/9432f2ed/attachment.html>


More information about the Openid-specs-ab mailing list