[Openid-specs-ab] Initial back-channel logout specification published
Michael.Jones at microsoft.com
Thu Sep 10 06:54:08 UTC 2015
After our working group conversation on the Thursday call, I sat down on Friday and wrote a first draft of the back-channel logout specification. I incorporated a few improvements suggested by John Bradley since then. The resulting spec has now been published as http://openid.net/specs/openid-connect-backchannel-1_0-00.html.
This specification defines a logout mechanism that uses back-channel communication between the OP and RPs being logged out; this differs from front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the User Agent.
The OP POSTs a Logout Token - like an ID Token, but with slightly different claims - to the RP's back-channel logout endpoint to request that the RP log out. It's up to the RP to implement a mechanism that accepts these requests and acts upon them - locating and logging out the specified End-User session at the RP.
Please review the specification and also compare it to http://openid.net/specs/openid-connect-logout-1_0-03.html. There are some ways we may want to make them more parallel, but John and I decided to publish this as-is now and then have working group discussions on the right directions to take both specs. The use of the Session ID is where the specs are currently the most different from one another.
The creation of this specification resolves issue #922 - Session cleanup via back-channel - https://bitbucket.org/openid/connect/issues/922/session-cleanup-via-back-channel.
Also, see my public description of the specification and the motivation for it at http://self-issued.info/?p=1452 and on @selfissued<https://twitter.com/selfissued>.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab