[Openid-specs-ab] Comments on OpenID Connect Front-Channel Logout

Filip Skokan panva.ip at gmail.com
Mon Mar 27 08:13:33 UTC 2017

The occurrences of "HTTP-based logout" should likely be changed to
"Front-Channel Logout" since the spec was renamed.


On Sun, Mar 26, 2017 at 11:13 PM, Mike Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Thanks for your review, Torsten.
> John can you answer the first question about the matching domain, port,
> and scheme?
> The query parameters are optional because in some deployments, it's normal
> to log all sessions out upon logout (usually because multiple sessions for
> different users aren't even possible on the RP on the same connection).
> For instance, this is the case for Microsoft Accounts and their relying
> parties.  RPs that need this information can signal this requirement using
> the "frontchannel_logout_session_required" registration parameter.
> I'll look at the section swap suggestion for the next draft.
> Good point about Section 4.
>                                 Thanks again,
>                                 -- Mike
> -----Original Message-----
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net]
> On Behalf Of Torsten Lodderstedt via Openid-specs-ab
> Sent: Sunday, March 26, 2017 12:58 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Comments on OpenID Connect Front-Channel Logout
> Hi all,
> since we are in voting for Implementer’s draft on the session
> management/logout specs, I gave this spec another read and came up with the
> following comments:
> Section 2:
> "RPs supporting HTTP-based logout register a logout URI with the OP as
> part of their client registration. The domain, port, and scheme of this URL
> MUST be the same as that of a registered Redirection URI value.“
> If the client is required to register a logout URI with the OP, why is
> this URI constrained to match parts of the redirect URI?
> “The OP MAY add these query parameters …” - why isn’t this a MUST? Are you
> assuming not all OPs will be able to provide the RP with a session id?
> I think it would improve readability to swap sections 2 and 3, e.g. the
> sid concept would be introduced before it is used in explaining the RP
> logout callback URL.
> Section 4: I would suggest to just refer to the session management spec’s
> text on RP-initiated logout instead of partially replicating text. It
> typically causes lifecycle issues. Moreover, the reader anyway needs two
> switch over for all the details.
> kind regards,
> Torsten.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170327/4196f6f0/attachment.html>

More information about the Openid-specs-ab mailing list