[OpenID] OP-Initiated Logout without User Involvement
Florian Forster
florian at caos.ch
Wed Apr 29 15:17:52 UTC 2020
Hi Aeneas
Below some questions/answers. Maybe I did not fully get your idea :-)
...when the user changes his/her password.
> I think most times this happens, it is directly at the OP (or at least
it's storage) so is this really a use-case for OP initiated Back-channel
Logout? The OP can in this case decide by itself to cancel sessions and
trigger RP's about this. Maybe you can elaborate in which setup you find
this case.
...banned by an administrator which in turn should trigger OIDC
Back-Channel Logout.
> Is the user banned from the RP or the OP? Because, if it is a
Identity-Lifecycle thing, where the user is completely locked I
find services like SCIM 2.0 the proper tool. After an account
deactivation we could do the same as my answer above states.
Greetings Florian
Florian Forster
H e a d o f C A O S
Phone: +41 79 956 39 01
Web: www.caos.ch
On Sat, 25 Apr 2020 at 13:25, Aeneas Rekkas <aeneas at ory.sh> wrote:
> Hi,
>
> we ( https://github.com/ory/hydra ) are receiving use cases for an
> OP-Initiated that does not involve the user’s browser and cookies. A use
> case might be that we want to perform Back-Channel Logout when the user
> changes his/her password. Another example would be that a user is banned by
> an administrator which in turn should trigger OIDC Back-Channel Logout. Is
> there any guidance on how this should be designed/implemented? Maybe even
> with an API Spec?
>
> Best
> Aeneas
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20200429/4b9e2bee/attachment.html>
More information about the general
mailing list