[Openid-specs-ab] OpenID Connect Logout using HTTP GET
Michael.Jones at microsoft.com
Sat Feb 21 01:10:42 UTC 2015
It never seems to fail - you send something out then you immediately realize what's wrong with it. ;-) In this case, I realized that the "sid" (Session ID) isn't sufficient, in general, for the RP to identify the session that the logout request pertains to, since the "sid" is issuer-specific (just like "sub" is). The RP also needs to know the issuer. The most straightforward way to provide this is probably also having an "iss=issuer" query parameter for the logout request to the RP, in addition to the "sid=sessionID" query parameter.
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Friday, February 20, 2015 4:37 PM
To: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET
A third iteration of the proposed OpenID Connect spec on logout using HTTP GET is attached. (It's now a two-pager.) This incorporates the results of the useful discussion on Thursday's call. Keep those cards and letters coming!
* Replaced the optional id_token parameter with an optional sid (Session ID) parameter.
* Enabled the use of iframes with nested images or iframes to achieve downstream logouts.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab