[Openid-specs-ab] Spec call notes 19-Sep-16

Nick Roy nroy at internet2.edu
Wed Sep 21 15:07:59 UTC 2016


It seems to me that strong assurance of logout will require new features at the browser/client.


On Sep 19, 2016 5:59 PM, Edmund Jay via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
Spec call notes 19-Sep-16

Nat Sakimura
Edmund Jay
Prateek Mishra
Rich Levinson

    Session and Logout specs

Prateek and Rich are looking at the session related aspect of OpenID Connect and
analyzing the distinctions between the ID Token, Session ID, and session lifetimes.

They are looking for a "strong logout" solution (strong coupling of sessions between IdP and RP).

They are deciding whether any changes and/or change to the language is needed.

Clarification is needed on ID Token lifetime and session lifetime.

They are analyzing RP use cases and are finding that some class of RPs desire
strong logout with IdP.

For strong logout implementation, they are looking into  what information  is needed to
be conveyed to the RP for session termination.

Required information includes session ID, IdP session lifetime (or expiration).
Session lifetime is needed by some RPs which uses caches to implement flush strategy.

There are many use cases where the RP wants to coordinate sessions with IdP and have strong session logout.

Prateek and Rich will publish an analysis by next Thursday call and solicit community feedback.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160921/0fed6d7e/attachment.html>

More information about the Openid-specs-ab mailing list