[Openid-specs-ab] Comments on OpenID Connect Front-Channel Logout

Mike Jones Michael.Jones at microsoft.com
Sun Mar 26 21:13:40 UTC 2017

Thanks for your review, Torsten.

John can you answer the first question about the matching domain, port, and scheme?

The query parameters are optional because in some deployments, it's normal to log all sessions out upon logout (usually because multiple sessions for different users aren't even possible on the RP on the same connection).  For instance, this is the case for Microsoft Accounts and their relying parties.  RPs that need this information can signal this requirement using the "frontchannel_logout_session_required" registration parameter.

I'll look at the section swap suggestion for the next draft.

Good point about Section 4.

				Thanks again,
				-- Mike

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt via Openid-specs-ab
Sent: Sunday, March 26, 2017 12:58 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Comments on OpenID Connect Front-Channel Logout

Hi all,

since we are in voting for Implementer’s draft on the session management/logout specs, I gave this spec another read and came up with the following comments:

Section 2:

"RPs supporting HTTP-based logout register a logout URI with the OP as part of their client registration. The domain, port, and scheme of this URL MUST be the same as that of a registered Redirection URI value.“

If the client is required to register a logout URI with the OP, why is this URI constrained to match parts of the redirect URI?

“The OP MAY add these query parameters …” - why isn’t this a MUST? Are you assuming not all OPs will be able to provide the RP with a session id?

I think it would improve readability to swap sections 2 and 3, e.g. the sid concept would be introduced before it is used in explaining the RP logout callback URL.

Section 4: I would suggest to just refer to the session management spec’s text on RP-initiated logout instead of partially replicating text. It typically causes lifecycle issues. Moreover, the reader anyway needs two switch over for all the details. 

kind regards,

More information about the Openid-specs-ab mailing list