[Openid-specs-ab] Comments on OpenID Connect Front-Channel Logout

Filip Skokan panva.ip at gmail.com
Mon Mar 27 08:13:33 UTC 2017


The occurrences of "HTTP-based logout" should likely be changed to
"Front-Channel Logout" since the spec was renamed.

Best,
*Filip*

On Sun, Mar 26, 2017 at 11:13 PM, Mike Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Thanks for your review, Torsten.
>
> John can you answer the first question about the matching domain, port,
> and scheme?
>
> The query parameters are optional because in some deployments, it's normal
> to log all sessions out upon logout (usually because multiple sessions for
> different users aren't even possible on the RP on the same connection).
> For instance, this is the case for Microsoft Accounts and their relying
> parties.  RPs that need this information can signal this requirement using
> the "frontchannel_logout_session_required" registration parameter.
>
> I'll look at the section swap suggestion for the next draft.
>
> Good point about Section 4.
>
>                                 Thanks again,
>                                 -- Mike
>
> -----Original Message-----
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net]
> On Behalf Of Torsten Lodderstedt via Openid-specs-ab
> Sent: Sunday, March 26, 2017 12:58 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Comments on OpenID Connect Front-Channel Logout
>
> Hi all,
>
> since we are in voting for Implementer’s draft on the session
> management/logout specs, I gave this spec another read and came up with the
> following comments:
>
> Section 2:
>
> "RPs supporting HTTP-based logout register a logout URI with the OP as
> part of their client registration. The domain, port, and scheme of this URL
> MUST be the same as that of a registered Redirection URI value.“
>
> If the client is required to register a logout URI with the OP, why is
> this URI constrained to match parts of the redirect URI?
>
> “The OP MAY add these query parameters …” - why isn’t this a MUST? Are you
> assuming not all OPs will be able to provide the RP with a session id?
>
> I think it would improve readability to swap sections 2 and 3, e.g. the
> sid concept would be introduced before it is used in explaining the RP
> logout callback URL.
>
> Section 4: I would suggest to just refer to the session management spec’s
> text on RP-initiated logout instead of partially replicating text. It
> typically causes lifecycle issues. Moreover, the reader anyway needs two
> switch over for all the details.
>
> kind regards,
> Torsten.
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170327/4196f6f0/attachment.html>


More information about the Openid-specs-ab mailing list