[Openid-specs-ab] Possible state parameter for RP-initiated logout

Nat Sakimura sakimura at gmail.com
Wed Jul 2 17:59:56 UTC 2014


Client generated state parameter for preventing CSRF makes sense.

Using session_sate in place of id_token is a completely different issue and
+1 to differ it to another thread.


2014-07-03 2:08 GMT+09:00 Mike Jones <Michael.Jones at microsoft.com>:

>  The client-generated “state” parameter is exactly what I was asking
> about on this thread.  It seems that that has working group support.
>
>
>
> There was also a different thread “[Openid-specs-ab] Possibly using
> session_state in logout and prompt=none requests” discussing an unrelated
> proposal.  It should be discussed on the other thread.
>
>
>
>                                                             -- Mike
>
>
>
> *From:* John Bradley [mailto:ve7jtb at ve7jtb.com]
> *Sent:* Wednesday, July 02, 2014 7:21 AM
> *To:* Thomas Broyer
> *Cc:* Mike Jones; openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Possible state parameter for
> RP-initiated logout
>
>
>
> PS I do agree that the logout call should have a Client generated state
> parameter that is opaque to the IdP and returned in the response.
>
>
>
> However that is not the state Mike was asking about as I understood the
> question.
>
>
>
> On Jul 1, 2014, at 8:35 AM, Thomas Broyer <t.broyer at gmail.com> wrote:
>
>
>
>  That makes sense. Particularly given that all post_logout_redirect_uri
> should be pre-registered and are compared byte-for-byte, leaving no place
> to, e.g., add query-string arguments to customize the behavior upon
> redirection. So yes, there should be a 'state' parameter.
>
>
>
> I'm going to add it to our implementation ASAP.
>
>
>
> On Tue, Jul 1, 2014 at 2:31 AM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
> Some Microsoft product people have requested an optional “state”
> parameter for RP-initiated logout requests.  Like the OAuth “state”
> parameter this would be passed to the end_session_endpoint as an optional
> query parameter, and if present, would be passed back with the same value
> to the post_logout_redirect_uri endpoint.
>
>
>
> What do people think of this proposal?
>
>
>
> RP-initiated logout is defined at
> http://openid.net/specs/openid-connect-session-1_0.html#RPLogout.
>
>
>
>                                                                 -- Mike
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
>
>
> --
> Thomas Broyer
> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140703/b0afc32f/attachment.html>


More information about the Openid-specs-ab mailing list