[Openid-specs-ab] Spec call notes 23-Feb-15

Torsten Lodderstedt torsten at lodderstedt.net
Tue Feb 24 06:38:02 UTC 2015

 I don't understand why you want to invite a new token concept for the logout. First there was a sid. The sid alone is not enough (if the same value is used among RPs in the same session), therefore you need to introduce an audience and a digital signature. This is getting more complex with every iteration.

>From a conceptual perspective, the challenge we are facing is the OP wants to send a request to a protected resource (logout endpoint at the RP). Sounds familiar? Yes, because this is classic OAuth with the OP taking the role of the client. 

I would therefore suggest to let the RP register the token it wants to get its logout endpoint invoked with. One could also use RFC 6750 mechanisms (or even pop) to carry the token in the actual logout request. The advantage of this design: this token is opaque to the OP. There is no need to specify it. The token design and how to identify the respective session at the RP is at the RP's discretion. It could just be a reference to its session database. It also could be a JWT.

kind regards,

Am 24. Februar 2015 03:45:34 MEZ, schrieb John Bradley <ve7jtb at ve7jtb.com>:
>My point was not that audience was not needed, but rather that it could
>be a different audience to differentiate between the login and sign out
>That WAY the sign out tokens would not be accepted as login tokens.  
>eg the logout_uri rather than the client_id as a posable example.
>John B.
>> On Feb 23, 2015, at 6:32 PM, Mike Jones <Michael.Jones at microsoft.com>
>> Spec call notes 23-Feb-15
>> Nat Sakimura
>> Mike Jones
>> Brian Campbell
>> Edmund Jay
>> John Bradley
>> Agenda
>>                Use of Pragma: no-cache in Form Post Response Mode
>>                Logout
>>                Certification
>> Use of Pragma: no-cache in Form Post Response Mode
>>                Brian believes the only change needed is to remove the
>"Pragma: no-cache"
>>                He believes that "Cache-Control: no-store" also
>performs a "Cache-Control: no-cache"
>>                               Mike will confirm this
>>                Then Mike will make the change and update the blog
>>                Later in the call, Brian pointed out that we should
>have normative text about not caching the result
>>                               He will propose a sentence to add
>> Logout
>>                When using the Session ID on the front channel, you're
>only picking from among those that are live in the browser
>>                An alternative to putting "sid" and "iss" as query
>parameters is to them in a JWT
>>                               But it should not be a legal ID Token,
>so perhaps shouldn't have a subject
>>                               John pointed out that we should at
>least consider whether an audience would be needed
>>                John will be working on a back channel logout spec
>also using the Session ID
>>                               We should try to have these be as close
>to one another as reasonably possible
>>                               He's on his way to Barcelona for MWC,
>so this may not happen for a bit
>>                People agreed that the differentiation between image
>and iframe GETs must happen at registration time
>>                The query parameters still need to be reviewed
>> Certification
>>                Roland now has testing up on the Symantec hosts
>>                A team member of Roland's created an OP
>self-registration page at https://op.certification.openid.net:60000/
>>                               When you select dynamic configuration,
>the answer to the first question is the issuer path (this isn't
>>                               Mike will file some bugs on clarifying
>how the tool works
>>                People doing testing should migrate over to the
>official server
>>                This also means that Roland can now also put up the RP
>>                Breno should be getting back to us within a week or so
>on how long it will take them to create a conforming implementation
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
><mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>Openid-specs-ab mailing list
>Openid-specs-ab at lists.openid.net

Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150224/573c2087/attachment.html>

More information about the Openid-specs-ab mailing list