Back-channel logout response with HTTP 400

Phil Hunt phil.hunt at oracle.com
Fri Aug 18 16:51:47 UTC 2017


Piraveena,

The log out event (which is based on SET Tokens) is informational.  Your question frames the logout as a command rather then an informational event.

Some background...
Normal functionality should be that the RP can only rejects the SET if the SET cannot be validated or parsed (or unauthorized).  SETs cannot be processed as commands. Thus the only reason for rejection is to let the issuer know their may be a configuration issue that may impact subsequent SET (ie. logout event) delivery.  

As to whether the logout is successful or not is for the RP to decide within its own domain. Some Clients may decide they do not care about SSO, some will. This is a contextual decision.  This is why SETs in general are framed as FYI type messages rather than commands.  IOW a backchannel logout event means “Subject xyz was logged out by the OP”. While we expect down stream RPs to also cancel the users RP session, they are not obligated to do so.  Likewise an RP logging a user out does not mean the OP must do the same. This depends on the relationship of the RP to the OP and vice-versa.

What assurance is there that logout notification worked?
I do understand that you are looking for an end-to-end confirmation of success. One of my concerns when the Backchannel Logout spec was approved for implementation was that the current draft does not support SET Delivery which provides assured delivery so we can know a potential logout event was received by an RP — giving some assurance that the logout notification was successful.

Phil

Oracle Corporation, Identity Cloud Services Architect & Standards
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
> On Aug 18, 2017, at 5:20 AM, Piraveena Paralogarajah <piraveena.14 at cse.mrt.ac.lk> wrote:
> 
> Hi all,
> 
> In Back-channel logout, If the logout is invalid, then RP should respond with HTTP 400 Bad request. Then how P will handle this?
> 
> It will be helpful if someone can explain the workflow.
> 
> Thanks,
> Piraveena
> 
> -- 
> Piraveena Paralogarajah
> Undergraduate,
> Department of Computer Science and Engineering,
> University of Moratuwa,
> Sri Lanka.
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=sClsY6Tr0v3GB-kLpFWwMO-NEjex-jDO1cqPjxlmWEw&s=hOwq2HHUdE9Z9wRpLT6enJxwjcZVXa9urw32pTZwmeg&e= 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20170818/cde85122/attachment.html>


More information about the specs mailing list