[Openid-specs-ab] First full HTML-based logout spec published

Thomas Broyer t.broyer at gmail.com
Tue Mar 10 00:23:20 UTC 2015

On Tue, Mar 10, 2015 at 12:52 AM Mike Jones <Michael.Jones at microsoft.com>

>  Thanks for pointing out the typos, Thomas.  I was writing that text
> apparently too quickly.  I’ll correct it!
> You’re right that Session Management is about state change but the primary
> state change reacted to by the RP is logout.  That’s why the next-to-last
> paragraph in the RP iframe section at
> http://openid.net/specs/openid-connect-session-1_0.html#RPiframe says:
> When the RP detects a session state change, it SHOULD first try a
> prompt=none request within an iframe to obtain a new ID Token and session
> state, sending the old ID Token as the id_token_hint. If the RP receives
> an ID token for the same End-User, it SHOULD simply update the value of the
> session state. If it doesn't receive an ID token or receives an ID token
> for another End-User, then it needs to handle this case as a logout for the
> original End-User.
> Both specs can do either RP- or OP-initiated logout.  (The RP-initiated
> logout is the same in both.)  In one, the OP communicates the logout
> message with a GET (an HTTP action)

Expected to be triggered by an <img> or <iframe> in an HTML page, so I'd
rather call it "HTML" than "HTTP".

> and in the other with a postMessage (an HTML action).

For me, it's more "JavaScript" (or "postMessage", or more accurately
"cross-document messaging", but in any case require JS to be supported and
enabled in the browser) than "HTML".

> That’s why we chose the name – because there’s some differentiation based
> on the two mechanisms.
> The problem with the “browser-based logout” name is that the Session
> Management spec also facilitates browser-based logout.  We were trying for
> a name that differentiates the two specs.

How about merging the specs?

The "postMessage" approach is about "near real-time", and assumes documents
are loaded (and "running") concurrently in the browser (which is not the
case on mobile AFAIK). It works particularly well for single-page apps, or
even any other apps where the user fills out forms (detecting the logout on
the client-side can help in not loosing data: e.g. the user can re-login
and then submit the form).
The "<img>" approach is a bit simpler, doesn't require JS (but can be
enhanced with JS), but won't work well with single-page apps (or other
long-running client apps) as it goes to the server first.
Both are complementary when it comes to managing (and terminating) sessions.

> We should probably continue talking about the name.  Let’s add it as a
> topic to the Thursday working group call.  Thomas – you’re free to join
> it.  Join at https://www3.gotomeeting.com/join/181372694 or +1 (646)
> 982-0002, access code 181-372-694 or see
> https://global.gotomeeting.com/public/prelogin.html#meetings/181372694/numbersdisplay
> for more phone numbers.  The call is at 7am US Pacific Time which would be
> 15:00 CET this week.

I won't be available that Thursday sorry. Maybe next week (depending on the

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150310/e0f2ba2e/attachment.html>

More information about the Openid-specs-ab mailing list