[Openid-specs-ab] Comments on OpenID Connect Back-Channel Logout
Michael.Jones at microsoft.com
Sun Mar 26 21:13:11 UTC 2017
Thanks for these comments as well, Torsten.
Yes, we should probably talk about remembering the logged-in sessions in the other specs as well.
Per our earlier discussion, I agree that we should drop the normative text about "nonce" and only say something in the Security Considerations section about why there isn't a problem.
John and others have some thoughts about the optional parameter note. Let's plan to talk about this together in Chicago.
Actually, the RP-Initiated logout functionality is at http://openid.net/specs/openid-connect-backchannel-1_0.html#RPInitiated. You just missed it because we did here what you suggested we do in the Front-Channel Logout spec. ;-)
We should definitely review the replay language and clarify.
Thanks for your attention to detail, as always!
From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
Sent: Sunday, March 26, 2017 12:59 PM
To: openid-specs-ab at lists.openid.net; Mike Jones <Michael.Jones at microsoft.com>; John Bradley <ve7jtb at ve7jtb.com>
Subject: Comments on OpenID Connect Back-Channel Logout
and finally, here are my comments on the backchannel logout:
Remembering Logged-In RPs - is this any different in frontchannel logout? I’m asking because it isn’t mentioned there.
“The following Claim MUST NOT be used within the Logout Token:” as already stated in my earlier posting. I would simple not mention nonce at all. This just confuses readers.
“NOTE: An open issue for the specification is whether to define an additional optional parameter in the logout token, probably as a value in the event-specific parameters JSON object, that explicitly signals that offline_access refresh tokens are also to be revoked.”
My take on that is: The OP can revoke/invalidate refresh tokens at any time at its discretion and any OAuth must be able to handle it. So why adding a parameter to signal this intention?
In contrast to front channel logout and session management, this spec does not specify a RP-initiated logout. I would suggest to add such a feature in order to cope with the typical front channel communication uncertainties (e.g. suddenly closed browser tabs).
I think the spec is undecided on logout token replay. Section 2.6. states: “Optionally verify that another Logout Token with the same jti value has not been recently received.” In contrast, section 4 states: “OPs are encouraged to use short expiration times in Logout Tokens, preferably at most two minutes in the future, to prevent captured Logout Tokens from being replayable.” Is there any preference?
More information about the Openid-specs-ab