<div dir="ltr"><br><br><div class="gmail_quote">On Tue, Mar 10, 2015 at 12:52 AM Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks for pointing out the typos, Thomas. I was writing that text apparently too quickly. I’ll correct it!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">You’re right that Session Management is about state change but the primary state change reacted to by the RP is logout. That’s why the next-to-last paragraph
in the RP iframe section at <a href="http://openid.net/specs/openid-connect-session-1_0.html#RPiframe" target="_blank">
http://openid.net/specs/openid-connect-session-1_0.html#RPiframe</a> says:<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">When the RP detects a session state change, it SHOULD first try a
</span><tt><span lang="EN" style="font-size:10.0pt">prompt=none</span></tt><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"> request within an iframe to obtain a new ID Token and session state, sending the old ID Token
as the </span><tt><span lang="EN" style="font-size:10.0pt">id_token_hint</span></tt><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">. If the RP receives an ID token for the same End-User, it SHOULD simply update the
value of the session state. If it doesn't receive an ID token or receives an ID token for another End-User, then it needs to handle this case as a logout for the original End-User.</span><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Both specs can do either RP- or OP-initiated logout. (The RP-initiated logout is the same in both.) In one, the OP communicates the logout message with a
GET (an HTTP action)</span></p></div></div></blockquote><div><br></div><div>Expected to be triggered by an <img> or <iframe> in an HTML page, so I'd rather call it "HTML" than "HTTP".</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">and in the other with a postMessage (an HTML action). </span></p></div></div></blockquote><div><br></div><div>For me, it's more "JavaScript" (or "postMessage", or more accurately "cross-document messaging", but in any case require JS to be supported and enabled in the browser) than "HTML".</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">That’s why we chose the name – because there’s some differentiation based on the two mechanisms.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The problem with the “browser-based logout” name is that the Session Management spec also facilitates browser-based logout. We were trying for a name that
differentiates the two specs.</span></p></div></blockquote><div><br></div><div>How about merging the specs?</div><div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:11pt"><br></span></div>The "postMessage" approach is about "near real-time", and assumes documents are loaded (and "running") concurrently in the browser (which is not the case on mobile AFAIK). It works particularly well for single-page apps, or even any other apps where the user fills out forms (detecting the logout on the client-side can help in not loosing data: e.g. the user can re-login and then submit the form).</div><div class="gmail_quote">The "<img>" approach is a bit simpler, doesn't require JS (but can be enhanced with JS), but won't work well with single-page apps (or other long-running client apps) as it goes to the server first.</div><div class="gmail_quote">Both are complementary when it comes to managing (and terminating) sessions.</div><div class="gmail_quote"><div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:11pt"> </span></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We should probably continue talking about the name. Let’s add it as a topic to the Thursday working group call. Thomas – you’re free to join it. Join at
<a href="https://www3.gotomeeting.com/join/181372694" target="_blank">https://www3.gotomeeting.com/join/181372694</a> or +1 (646) 982-0002, access code 181-372-694 or see
<a href="https://global.gotomeeting.com/public/prelogin.html#meetings/181372694/numbersdisplay" target="_blank">
https://global.gotomeeting.com/public/prelogin.html#meetings/181372694/numbersdisplay</a> for more phone numbers. The call is at 7am US Pacific Time which would be 15:00 CET this week.</span></p></div></blockquote><div><br></div><div>I won't be available that Thursday sorry. Maybe next week (depending on the agenda).</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><div>
</div>
</div></div></blockquote></div></div>