OpenID Connect Back-Channel Logout Specification

[Mike Jones]

A new back-channel OpenID Connect Logout spec has been published at http://openid.net/specs/openid-connect-backchannel-1_0.html.  This can coexist with or be used instead of the front-channel-based Session Management<http://openid.net/specs/openid-connect-session-1_0.html> and HTTP-Based Logout<http://openid.net/specs/openid-connect-logout-1_0.html> specifications.

The abstract for the new specification states:
This specification defines a logout mechanism that uses back-channel communication between the OP and RPs being logged out; this differs from front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the User Agent.

This completes publication of the three planned OpenID Connect logout mechanisms:  two that communicate on the front-channel through the User Agent (browser) and this one that communicates on the back-channel, without involving the User Agent.  See the Introduction<http://openid.net/specs/openid-connect-backchannel-1_0-00.html#Introduction> for a discussion of the upsides and downsides of the different logout approaches.  As much as we'd like there to be a single logout solution, both experience and extensive discussions led us to the conclusion that there isn't a feasible one-size-fits-all approach.

Reviews of the new (and existing!) specifications are welcomed.

Thanks to John Bradley, Pedro Felix, Nat Sakimura, Brian Campbell, and Todd Lainhart for their contributions to the creation of the specification.

                                                            -- Mike

P.S.  This note was also published at http://self-issued.info/?p=1452 and as @selfissued<https://twitter.com/selfissued>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20150910/9aea0684/attachment.html>