[OpenID] OP-Initiated Logout without User Involvement

Aeneas Rekkas aeneas at ory.sh
Thu Apr 30 07:31:36 UTC 2020 

Hi Florian,

thank you for the responses!

> I think most times this happens, it is directly at the OP (or at least it's storage) so is this really a use-case for OP initiated Back-channel Logout? The OP can in this case decide by itself to cancel sessions and trigger RP's about this. Maybe you can elaborate in which setup you find this case.

Depends on the implementation of the OP. For ORY Hydra or CoreOS Dex, which are more or less „OpenID OP Proxies“ this would not be at the OP directly, but instead at the IdP (the actual user database that implements signup, account reovery et al). Since OIDC does not specify anything regarding user registration and other basic flows I would assume that this is an intended operational model. For example when having an existing user system and wanting to add OIDC support. In that case the original user system would do the password change, and the „OIDC support“ would need to be notified of that change in order to trigger a logout, which in turn triggers OIDC Backchannel Logout. My question is if there’s any guidance (e.g. API wise or security wise „don’t do this and that!!!“) around that.

Hope this clarifies my question!


> Am 29.04.2020 um 20:09 schrieb Florian Forster <florian at caos.ch>:
> 
> Me again
> 
> I think I took a wrong turn interpreting your email on my phone :-)
> 
> If I understand you correctly you search more or less this one
> -> 
> https://openid.net/specs/openid-connect-backchannel-1_0.html <https://openid.net/specs/openid-connect-backchannel-1_0.html>
> 
> Which basically defines a URL Endpoint within the RP where the OP can send a JWT. Is it in your use-case a problem for the OP to track the clients on which RP they did sign-in?
> 
> Greets
> 
> On Wed, 29 Apr 2020 at 17:17, Florian Forster <florian at caos.ch <mailto:florian at caos.ch>> wrote:
> Hi Aeneas
> 
> Below some questions/answers. Maybe I did not fully get your idea :-) 
> 
> ...when the user changes his/her password.
> > I think most times this happens, it is directly at the OP (or at least it's storage) so is this really a use-case for OP initiated Back-channel Logout? The OP can in this case decide by itself to cancel sessions and trigger RP's about this. Maybe you can elaborate in which setup you find this case.
> 
> ...banned by an administrator which in turn should trigger OIDC Back-Channel Logout.
> > Is the user banned from the RP or the OP? Because, if it is a Identity-Lifecycle thing, where the user is completely locked I find services like SCIM 2.0 the proper tool. After an account deactivation we could do the same as my answer above states.
> 
> Greetings Florian
> 
> 
> Florian Forster
> H e a d   o f   C A O S
> Phone:  +41 79 956 39 01
> Web:      www.caos.ch <http://www.caos.ch/>
> 
> On Sat, 25 Apr 2020 at 13:25, Aeneas Rekkas <aeneas at ory.sh> wrote:
> Hi,
> 
> we ( https://github.com/ory/hydra <https://github.com/ory/hydra> ) are receiving use cases for an OP-Initiated that does not involve the user’s browser and cookies. A use case might be that we want to perform Back-Channel Logout when the user changes his/her password. Another example would be that a user is banned by an administrator which in turn should trigger OIDC Back-Channel Logout. Is there any guidance on how this should be designed/implemented? Maybe even with an API Spec?
> 
> Best
> Aeneas
> _______________________________________________
> general mailing list
> general at lists.openid.net <mailto:general at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-general <http://lists.openid.net/mailman/listinfo/openid-general>
> -- 
> 
> 
> Florian Forster
> H e a d   o f   C A O S
> Phone:  +41 79 956 39 01
> Web:      www.caos.ch <http://www.caos.ch/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20200430/14889558/attachment.html>

More information about the general mailing list