[Openid-specs-risc] RISC events supported by Google

Marius Scurtescu mscurtescu at google.com
Tue Apr 11 18:24:49 UTC 2017


On Tue, Apr 11, 2017 at 11:02 AM, Mike Jones <Michael.Jones at microsoft.com>
wrote:

> This is useful, Marius.  What are the arguments for each of these events?
>

I hope we are going to collectively come up with arguments and reasons.

Here are Google's arguments for working on these particular events:
- sessions-revoked - allows RPs to keep sessions in sync with IdP, keep
user sessions secure in general
- tokens-revoked - RPs eventually can discover through usage that tokens it
holds for a user stopped working, this event provides a timely and explicit
signal, it tells the RP that the user explicitly terminated the
relationship, what the RP does with it depends, most likely RP wants to
terminate sessions, maybe drop data stored for that user
- account-deleted - the RP lost an IdP for that user, if it was the only
IdP then the RP is in a tricky situations since the user has no other way
to access the account, maybe if the RP still has an active session that can
be used to prompt the user to configure an alternative way to login to RP

- account-locked, -recovered, -reverification-requested are mostly targeted
as signals for abuse systems, but they have obvious session implications as
well

- account-identifier-changed - some RPs use the email address as main key
(even when stable identifier i also provided), this allows them to update
that key (otherwise manual intervention is needed on RP side)

Also, all these signals might be used as signals to an abuse system.


>
>
> *From:* Openid-specs-risc [mailto:openid-specs-risc-
> bounces at lists.openid.net] *On Behalf Of *Marius Scurtescu
> *Sent:* Tuesday, April 11, 2017 10:50 AM
> *To:* openid-specs-risc at lists.openid.net
> *Subject:* [Openid-specs-risc] RISC events supported by Google
>
>
>
> Right now Google supports the following events:
> - sessions-revoked - it states the Google closed all existing sessions for
> given subject
> - tokens-revoked - it states that Google revoked all tokens for given user
> and recipient (client), no individual token strings provided, applies only
> to tokens explicitly revoked by the user
>
> In the near future Google is planning to support:
> - account-deleted - the account was deleted, an RP should find an
> alternative way to authenticate the user, while they still have an active
> session (if Google was only IdP and no other recovery email then account is
> practically lost)
> - account-locked - account locked because of possibility of hijacking
> - account-recovered - user recovered previously locked account
> - account-reverification-requested - account not locked, but all sessions
> closed and user will be asked to change password on next login
>
> Potentially in the mid future:
> - account-identifier-changed - email address changes
> - other token revocation events (revoked by client through API, revoked by
> Google for various reasons)
> - log out events
>
> Thoughts?
>
>
>
> Which of these events do you think you would use and how?
>
>
>
> What other events would you like to receive from Google (and RISC in
> general)?
>
> Thanks,
> Marius
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20170411/c0cce9b2/attachment.html>


More information about the Openid-specs-risc mailing list