[Openid-specs-ab] First full HTML-based logout spec published
t.broyer at gmail.com
Tue Mar 10 00:23:20 UTC 2015
On Tue, Mar 10, 2015 at 12:52 AM Mike Jones <Michael.Jones at microsoft.com>
> Thanks for pointing out the typos, Thomas. I was writing that text
> apparently too quickly. I’ll correct it!
> You’re right that Session Management is about state change but the primary
> state change reacted to by the RP is logout. That’s why the next-to-last
> paragraph in the RP iframe section at
> http://openid.net/specs/openid-connect-session-1_0.html#RPiframe says:
> When the RP detects a session state change, it SHOULD first try a
> prompt=none request within an iframe to obtain a new ID Token and session
> state, sending the old ID Token as the id_token_hint. If the RP receives
> an ID token for the same End-User, it SHOULD simply update the value of the
> session state. If it doesn't receive an ID token or receives an ID token
> for another End-User, then it needs to handle this case as a logout for the
> original End-User.
> Both specs can do either RP- or OP-initiated logout. (The RP-initiated
> logout is the same in both.) In one, the OP communicates the logout
> message with a GET (an HTTP action)
Expected to be triggered by an <img> or <iframe> in an HTML page, so I'd
rather call it "HTML" than "HTTP".
> and in the other with a postMessage (an HTML action).
"cross-document messaging", but in any case require JS to be supported and
enabled in the browser) than "HTML".
> That’s why we chose the name – because there’s some differentiation based
> on the two mechanisms.
> The problem with the “browser-based logout” name is that the Session
> Management spec also facilitates browser-based logout. We were trying for
> a name that differentiates the two specs.
How about merging the specs?
The "postMessage" approach is about "near real-time", and assumes documents
are loaded (and "running") concurrently in the browser (which is not the
case on mobile AFAIK). It works particularly well for single-page apps, or
even any other apps where the user fills out forms (detecting the logout on
the client-side can help in not loosing data: e.g. the user can re-login
and then submit the form).
The "<img>" approach is a bit simpler, doesn't require JS (but can be
enhanced with JS), but won't work well with single-page apps (or other
long-running client apps) as it goes to the server first.
Both are complementary when it comes to managing (and terminating) sessions.
> We should probably continue talking about the name. Let’s add it as a
> topic to the Thursday working group call. Thomas – you’re free to join
> it. Join at https://www3.gotomeeting.com/join/181372694 or +1 (646)
> 982-0002, access code 181-372-694 or see
> for more phone numbers. The call is at 7am US Pacific Time which would be
> 15:00 CET this week.
I won't be available that Thursday sorry. Maybe next week (depending on the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab