[Openid-specs-ab] Issue #1049: backchannel logout requests should include a reference to the OP (openid/connect)

Phil Hunt phil.hunt at oracle.com
Fri Sep 21 15:59:11 UTC 2018


Right. This was one of many concern I had about use of fixed or shared endpoints with both backchannel and the secevents delivery work. 

Allowing a per stream delivery endpoint provides a lot of context, tenancy/sharding features. Eg

/logouts/<streamid>/

So I agree, if multiple OPs additional detection is needed outside the SET or it becomes a DoS problem if the events have to be heavily processed before rejection. 

Phil

> On Sep 21, 2018, at 8:41 AM, Hans Zandbelt <hans.zandbelt at zmartzone.eu> wrote:
> 
> my core point is about iss being inside of a JWT encrypted with an iss-specific symmetric secret
> 
> Hans.
> 
>> On Fri, Sep 21, 2018 at 5:38 PM Phil Hunt via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>> Interesting. My assumption is iss, aud etc are req’d claims from JWT. 
>> 
>> However maybe a reminder is important?
>> 
>> Phil
>> 
>> > On Sep 21, 2018, at 4:52 AM, Hans Zandbelt via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>> > 
>> > New issue 1049: backchannel logout requests should include a reference to the OP
>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1049_backchannel-2Dlogout-2Drequests-2Dshould-2Dinclude&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=lm9I-tIhoNwvye6UOWEMPW8NY3NHLUhJ9SotrZMkfjo&s=3LFWnJR17VF0dS5xSTSpiGzBJQ6AFN3Pu3Oa8M3ONMQ&e=
>> > 
>> > Hans Zandbelt:
>> > 
>> > Whilst taking a stab at implementing backchannel logout according to:
>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_openid-2Dconnect-2Dbackchannel-2D1-5F0.html&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=lm9I-tIhoNwvye6UOWEMPW8NY3NHLUhJ9SotrZMkfjo&s=L6lYaopVVDpj0Pk2gtvli2CrojHXip4pHWm-fsGlHyQ&e=
>> > 
>> > I found that for an RP that connects to multiple OPs it would be impossible to deduct the OP from the `logout_token` if it is encrypted with a symmetric key. Since following the OpenID Connect `id_token` guidelines (as suggested) it would have to decrypt with the `client_secret` which is (hopefully) a per-provider setting. Trying all OPs/`client_secret`'s consecutively would be very inefficient and probably not what anyone would want to do.
>> > 
>> > I suggest to add an `iss` parameter to the backchannel logout request in addition to the `logout_token` parameter. 
>> > 
>> > This will also make it easier for implementors to share the code path with `id_token` validation since they'd no longer have to "peek" into the `id_token` before calling the validation routine that may be issuer specific. The issuer would typically be known before validating the id_token since it is recorded in the (browser bound) state.
>> > 
>> > 
>> > _______________________________________________
>> > Openid-specs-ab mailing list
>> > Openid-specs-ab at lists.openid.net
>> > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=lm9I-tIhoNwvye6UOWEMPW8NY3NHLUhJ9SotrZMkfjo&s=QFeT_kOuXhKRo7gZWzW_kdBxaAC_PCO1A2u3BadpGqo&e=
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> 
> -- 
> hans.zandbelt at zmartzone.eu
> ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180921/3b5df786/attachment.html>


More information about the Openid-specs-ab mailing list