[OpenID] OP-Initiated Logout without User Involvement

Florian Forster florian at caos.ch
Wed Apr 29 18:09:45 UTC 2020 

Me again

I think I took a wrong turn interpreting your email on my phone :-)

If I understand you correctly you search more or less this one
->
https://openid.net/specs/openid-connect-backchannel-1_0.html

Which basically defines a URL Endpoint within the RP where the OP can send
a JWT. Is it in your use-case a problem for the OP to track the clients on
which RP they did sign-in?

Greets

On Wed, 29 Apr 2020 at 17:17, Florian Forster <florian at caos.ch> wrote:

> Hi Aeneas
>
> Below some questions/answers. Maybe I did not fully get your idea :-)
>
> ...when the user changes his/her password.
> > I think most times this happens, it is directly at the OP (or at least
> it's storage) so is this really a use-case for OP initiated Back-channel
> Logout? The OP can in this case decide by itself to cancel sessions and
> trigger RP's about this. Maybe you can elaborate in which setup you find
> this case.
>
> ...banned by an administrator which in turn should trigger OIDC
> Back-Channel Logout.
> > Is the user banned from the RP or the OP? Because, if it is a
> Identity-Lifecycle thing, where the user is completely locked I
> find services like SCIM 2.0 the proper tool. After an account
> deactivation we could do the same as my answer above states.
>
> Greetings Florian
>
> Florian Forster
>
> H e a d   o f C A O S
>
> Phone:  +41 79 956 39 01
>
> Web:      www.caos.ch
>
>
> On Sat, 25 Apr 2020 at 13:25, Aeneas Rekkas <aeneas at ory.sh> wrote:
>
>> Hi,
>>
>> we ( https://github.com/ory/hydra ) are receiving use cases for an
>> OP-Initiated that does not involve the user’s browser and cookies. A use
>> case might be that we want to perform Back-Channel Logout when the user
>> changes his/her password. Another example would be that a user is banned by
>> an administrator which in turn should trigger OIDC Back-Channel Logout. Is
>> there any guidance on how this should be designed/implemented? Maybe even
>> with an API Spec?
>>
>> Best
>> Aeneas
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
> --

Florian Forster

H e a d   o f C A O S

Phone:  +41 79 956 39 01

Web:      www.caos.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20200429/bbf1a6ec/attachment.html>

More information about the general mailing list