[Openid-specs-mobile-profile] Comments on OpenID Connect Front-Channel Logout
torsten at lodderstedt.net
Sun Mar 26 12:54:58 UTC 2017
since we are in voting for Implementer’s draft on the session management/logout specs, I gave this spec another read and came up with the following comments:
"RPs supporting HTTP-based logout register a logout URI with the OP as part of their client registration. The domain, port, and scheme of this URL MUST be the same as that of a registered Redirection URI value.“
If the client is required to register a logout URI with the OP, why is this URI constrained to match parts of the redirect URI?
“The OP MAY add these query parameters …” - why isn’t this a MUST? Are you assuming not all OPs will be able to provide the RP with a session id?
I think it would improve readability to swap sections 2 and 3, e.g. the sid concept would be introduced before it is used in explaining the RP logout callback URL.
Section 4: I would suggest to just refer to the session management spec’s text on RP-initiated logout instead of partially replicating text. It typically causes lifecycle issues. Moreover, the reader anyway needs two switch over for all the details.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3581 bytes
Desc: not available
More information about the Openid-specs-mobile-profile