[Openid-specs-mobile-profile] Comments on OpenID Connect Back-Channel Logout
torsten at lodderstedt.net
Sun Mar 26 13:02:24 UTC 2017
and finally, here are my comments on the backchannel logout:
Remembering Logged-In RPs - is this any different in frontchannel logout? I’m asking because it isn’t mentioned there.
“The following Claim MUST NOT be used within the Logout Token:” as already stated in my earlier posting. I would simple not mention nonce at all. This just confuses readers.
“NOTE: An open issue for the specification is whether to define an additional optional parameter in the logout token, probably as a value in the event-specific parameters JSON object, that explicitly signals that offline_access refresh tokens are also to be revoked.”
My take on that is: The OP can revoke/invalidate refresh tokens at any time at its discretion and any OAuth must be able to handle it. So why adding a parameter to signal this intention?
In contrast to front channel logout and session management, this spec does not specify a RP-initiated logout. I would suggest to add such a feature in order to cope with the typical front channel communication uncertainties (e.g. suddenly closed browser tabs).
I think the spec is undecided on logout token replay. Section 2.6. states: “Optionally verify that another Logout Token with the same jti value has not been recently received.” In contrast, section 4 states: “OPs are encouraged to use short expiration times in Logout Tokens, preferably at most two minutes in the future, to prevent captured Logout Tokens from being replayable.” Is there any preference?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3581 bytes
Desc: not available
More information about the Openid-specs-mobile-profile