[Openid-specs-ab] Possibly using session_state in logout and prompt=none requests

Mike Jones Michael.Jones at microsoft.com
Tue Jul 1 00:46:36 UTC 2014


Some Microsoft product people have asked whether session_state could be used in logout requests as an alternative to using the id_token_hint.  A secondary related ask would be to be able to use the session_state instead of id_token_hint in prompt=none requests.

The logic behind this request is that then the RP would only need to persist the session_state value and not the id_token value.

It's not clear whether in the general case, session_state would have sufficient information for this to work.  It would be good to get a sense what people have in their session_state values now (which are opaque to the RP).

Another possible downside to this is that since session management is optional, RPs would still have to have code to persist the id_token for prompt=none requests for OPs that don't support session management.

Comments?

                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140701/d1c4dca5/attachment-0001.html>


More information about the Openid-specs-ab mailing list