[Openid-specs-mobile-profile] How to invalidate cookie sessions in RP
ve7jtb at ve7jtb.com
Mon Mar 28 18:33:43 UTC 2016
There specs for logout in the front channel using redirects, and one I am working on for the back channel.
It is probably a bad practice to have session cookies that don’t expire. We have seen requests for logout, but not a account deprovisioning other than through SCIM or something like that.
I would ask why a user being unsubscribed to mobile connect is a problem for the SP as long as the session is good. Is this different from logout?
I can potentially see backchannel logout being required if the user doesn’t have an active browser session.
I think what you will find on the web is that most SP don’t retain enough of the session in the server to be able to correlate and kill a front channel session based on a out of band signal.
So while SP do ask for back channel logout, most of them decide that they can’t do it based on how the site is designed around cookies.
I think the closest thing is backchannel logout, but most RP/SP won’t do it.
It is exactly the same problem in SAML and almost no one uses the SAML SLO spec for that reason.
> On Mar 28, 2016, at 2:37 PM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com> wrote:
> Hi guys,
> I would like to know your opinion as experts in OIDC about how to invalidate the session cookies in the RP in case of a user abandons Mobile Connect. I mean, I am thinking in the next problem:
> A Relaying Party “RP1” using Mobile Connect authenticates the user “user1” using Mobile Connect in an MNO.
> The relaying party sets a cookie, likely with the id_token (to be able to check the expiration) for a long time.
> The user “user1” is unsuscribed in Mobile Connect, however he can still be authenticated in the RP1 relaying party because the cookie is still valid.
> The question is if there is some standard way to proceed to communicate the RP1 that the user “user1” is no longer is Mobile Connect subscriber, and allow the RP to invalidate the cookie.
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net <mailto:Openid-specs-mobile-profile at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile <http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile