[OpenID] OP-Initiated Logout without User Involvement

Thu Apr 30 08:21:23 UTC 2020

I think I now understand your question.

So you are asking about the idp -> op (oidc facade) "trigger" and not about
the op -> rp integration (OIDC Backchannel logout)[1], right?
I am not aware of a definition / standard for the idp -> op part, others
might be :-)

Most systems I know use specific integrations corresponding to the
idp capabilities, e.g with LDAP they tail the audit log for changes or have
scheduled queries.

1: https://openid.net/specs/openid-connect-backchannel-1_0.html

Florian Forster

H e a d   o f C A O S

Phone:  +41 79 956 39 01

Web:      www.caos.ch

On Thu, 30 Apr 2020 at 09:31, Aeneas Rekkas <aeneas at ory.sh> wrote:

> Hi Florian,
>
> thank you for the responses!
>
> > I think most times this happens, it is directly at the OP (or at least
> it's storage) so is this really a use-case for OP initiated Back-channel
> Logout? The OP can in this case decide by itself to cancel sessions and
> trigger RP's about this. Maybe you can elaborate in which setup you find
> this case.
>
> Depends on the implementation of the OP. For ORY Hydra or CoreOS Dex,
> which are more or less „OpenID OP Proxies“ this would not be at the OP
> directly, but instead at the IdP (the actual user database that implements
> signup, account reovery et al). Since OIDC does not specify anything
> regarding user registration and other basic flows I would assume that this
> is an intended operational model. For example when having an existing user
> system and wanting to add OIDC support. In that case the original user
> system would do the password change, and the „OIDC support“ would need to
> be notified of that change in order to trigger a logout, which in turn
> triggers OIDC Backchannel Logout. My question is if there’s any guidance
> (e.g. API wise or security wise „don’t do this and that!!!“) around that.
>
> Hope this clarifies my question!
>
>
> Am 29.04.2020 um 20:09 schrieb Florian Forster <florian at caos.ch>:
>
> Me again
>
> I think I took a wrong turn interpreting your email on my phone :-)
>
> If I understand you correctly you search more or less this one
> ->
> https://openid.net/specs/openid-connect-backchannel-1_0.html
>
> Which basically defines a URL Endpoint within the RP where the OP can send
> a JWT. Is it in your use-case a problem for the OP to track the clients on
> which RP they did sign-in?
>
> Greets
>
> On Wed, 29 Apr 2020 at 17:17, Florian Forster <florian at caos.ch> wrote:
>
>> Hi Aeneas
>>
>> Below some questions/answers. Maybe I did not fully get your idea :-)
>>
>> ...when the user changes his/her password.
>> > I think most times this happens, it is directly at the OP (or at least
>> it's storage) so is this really a use-case for OP initiated Back-channel
>> Logout? The OP can in this case decide by itself to cancel sessions and
>> trigger RP's about this. Maybe you can elaborate in which setup you find
>> this case.
>>
>> ...banned by an administrator which in turn should trigger OIDC
>> Back-Channel Logout.
>> > Is the user banned from the RP or the OP? Because, if it is a
>> Identity-Lifecycle thing, where the user is completely locked I
>> find services like SCIM 2.0 the proper tool. After an account
>> deactivation we could do the same as my answer above states.
>>
>> Greetings Florian
>>
>> Florian Forster
>> H e a d   o f C A O S
>> Phone:  +41 79 956 39 01
>> Web:      www.caos.ch
>>
>>
>> On Sat, 25 Apr 2020 at 13:25, Aeneas Rekkas <aeneas at ory.sh> wrote:
>>
>>> Hi,
>>>
>>> we ( https://github.com/ory/hydra ) are receiving use cases for an
>>> OP-Initiated that does not involve the user’s browser and cookies. A use
>>> case might be that we want to perform Back-Channel Logout when the user
>>> changes his/her password. Another example would be that a user is banned by
>>> an administrator which in turn should trigger OIDC Back-Channel Logout. Is
>>> there any guidance on how this should be designed/implemented? Maybe even
>>> with an API Spec?
>>>
>>> Best
>>> Aeneas
>>> _______________________________________________
>>> general mailing list
>>> general at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>> --
>
> Florian Forster
> H e a d   o f C A O S
> Phone:  +41 79 956 39 01
> Web:      www.caos.ch
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20200430/d582a803/attachment.html>