[OpenID] OP-Initiated Logout without User Involvement

Florian Forster florian at caos.ch
Thu Apr 30 08:33:40 UTC 2020 

Not that I know off the top of my head

Florian Forster

H e a d   o f C A O S

Phone:  +41 79 956 39 01

Web:      www.caos.ch


On Thu, 30 Apr 2020 at 10:23, Aeneas Rekkas <aeneas at ory.sh> wrote:

> Yup exactly! I think LDAP is a pretty good example for this flow. Because
> not everyone uses LDAP or has audit logs for that I was wondering if
> there’s any specification or guidance around that.
>
> Thank you!
>
> Am 30.04.2020 um 10:21 schrieb Florian Forster <florian at caos.ch>:
>
> I think I now understand your question.
>
> So you are asking about the idp -> op (oidc facade) "trigger" and not
> about the op -> rp integration (OIDC Backchannel logout)[1], right?
> I am not aware of a definition / standard for the idp -> op part, others
> might be :-)
>
> Most systems I know use specific integrations corresponding to the
> idp capabilities, e.g with LDAP they tail the audit log for changes or have
> scheduled queries.
>
> 1: https://openid.net/specs/openid-connect-backchannel-1_0.html
>
> Florian Forster
> H e a d   o f C A O S
> Phone:  +41 79 956 39 01
> Web:      www.caos.ch
>
>
> On Thu, 30 Apr 2020 at 09:31, Aeneas Rekkas <aeneas at ory.sh> wrote:
>
>> Hi Florian,
>>
>> thank you for the responses!
>>
>> > I think most times this happens, it is directly at the OP (or at least
>> it's storage) so is this really a use-case for OP initiated Back-channel
>> Logout? The OP can in this case decide by itself to cancel sessions and
>> trigger RP's about this. Maybe you can elaborate in which setup you find
>> this case.
>>
>> Depends on the implementation of the OP. For ORY Hydra or CoreOS Dex,
>> which are more or less „OpenID OP Proxies“ this would not be at the OP
>> directly, but instead at the IdP (the actual user database that implements
>> signup, account reovery et al). Since OIDC does not specify anything
>> regarding user registration and other basic flows I would assume that this
>> is an intended operational model. For example when having an existing user
>> system and wanting to add OIDC support. In that case the original user
>> system would do the password change, and the „OIDC support“ would need to
>> be notified of that change in order to trigger a logout, which in turn
>> triggers OIDC Backchannel Logout. My question is if there’s any guidance
>> (e.g. API wise or security wise „don’t do this and that!!!“) around that.
>>
>> Hope this clarifies my question!
>>
>>
>> Am 29.04.2020 um 20:09 schrieb Florian Forster <florian at caos.ch>:
>>
>> Me again
>>
>> I think I took a wrong turn interpreting your email on my phone :-)
>>
>> If I understand you correctly you search more or less this one
>> ->
>> https://openid.net/specs/openid-connect-backchannel-1_0.html
>>
>> Which basically defines a URL Endpoint within the RP where the OP can
>> send a JWT. Is it in your use-case a problem for the OP to track the
>> clients on which RP they did sign-in?
>>
>> Greets
>>
>> On Wed, 29 Apr 2020 at 17:17, Florian Forster <florian at caos.ch> wrote:
>>
>>> Hi Aeneas
>>>
>>> Below some questions/answers. Maybe I did not fully get your idea :-)
>>>
>>> ...when the user changes his/her password.
>>> > I think most times this happens, it is directly at the OP (or at least
>>> it's storage) so is this really a use-case for OP initiated Back-channel
>>> Logout? The OP can in this case decide by itself to cancel sessions and
>>> trigger RP's about this. Maybe you can elaborate in which setup you find
>>> this case.
>>>
>>> ...banned by an administrator which in turn should trigger OIDC
>>> Back-Channel Logout.
>>> > Is the user banned from the RP or the OP? Because, if it is a
>>> Identity-Lifecycle thing, where the user is completely locked I
>>> find services like SCIM 2.0 the proper tool. After an account
>>> deactivation we could do the same as my answer above states.
>>>
>>> Greetings Florian
>>>
>>> Florian Forster
>>> H e a d   o f C A O S
>>> Phone:  +41 79 956 39 01
>>> Web:      www.caos.ch
>>>
>>>
>>> On Sat, 25 Apr 2020 at 13:25, Aeneas Rekkas <aeneas at ory.sh> wrote:
>>>
>>>> Hi,
>>>>
>>>> we ( https://github.com/ory/hydra ) are receiving use cases for an
>>>> OP-Initiated that does not involve the user’s browser and cookies. A use
>>>> case might be that we want to perform Back-Channel Logout when the user
>>>> changes his/her password. Another example would be that a user is banned by
>>>> an administrator which in turn should trigger OIDC Back-Channel Logout. Is
>>>> there any guidance on how this should be designed/implemented? Maybe even
>>>> with an API Spec?
>>>>
>>>> Best
>>>> Aeneas
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>>
>>> --
>>
>> Florian Forster
>> H e a d   o f C A O S
>> Phone:  +41 79 956 39 01
>> Web:      www.caos.ch
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20200430/e6cfe698/attachment-0001.html>

More information about the general mailing list