<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>@font-face{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}</style>
</head>
<body>
<font face="Calibri">
<p dir="ltr">took a while (being an unexceptional), but I eventually grasped what oauth2 and then openid connect had added beyond earlier websso sign on protocols. I even understood how they had abandoned user centric ideas (of openid) in favor of multi_layer
governance.</p>
<p dir="ltr">in short, is there a leap in signout? if so, Anyone, what is it?<br>
</p>
<br>
<br>
On September 9, 2015, at 11:54 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:<br>
<br>
</font><style>
<!--
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
span.x_MsoHyperlink
{color:blue;
text-decoration:underline}
span.x_MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
span.x_EmailStyle17
{font-family:"Calibri","sans-serif";
color:windowtext}
.x_MsoChpDefault
{font-family:"Calibri","sans-serif"}
div.x_WordSection1
{}
-->
</style>
<div lang="EN-US" link="blue" vlink="purple">
<div class="x_WordSection1">
<p class="x_MsoNormal">A new back-channel OpenID Connect Logout spec has been published at
<a href="http://openid.net/specs/openid-connect-backchannel-1_0.html">http://openid.net/specs/openid-connect-backchannel-1_0.html</a>. This can coexist with or be used instead of the front-channel-based
<a href="http://openid.net/specs/openid-connect-session-1_0.html">Session Management</a> and
<a href="http://openid.net/specs/openid-connect-logout-1_0.html">HTTP-Based Logout</a> specifications.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">The abstract for the new specification states:</p>
<p class="x_MsoNormal" style="margin-left:.5in"><i>This specification defines a logout mechanism that uses back-channel communication between the OP and RPs being logged out; this differs from front-channel logout mechanisms, which communicate logout requests
from the OP to RPs via the User Agent.</i></p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">This completes publication of the three planned OpenID Connect logout mechanisms: two that communicate on the front-channel through the User Agent (browser) and this one that communicates on the back-channel, without involving the User
Agent. See <a href="http://openid.net/specs/openid-connect-backchannel-1_0-00.html#Introduction">
the Introduction</a> for a discussion of the upsides and downsides of the different logout approaches. As much as we'd like there to be a single logout solution, both experience and extensive discussions led us to the conclusion that there isn't a feasible
one-size-fits-all approach.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Reviews of the new (and existing!) specifications are welcomed.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Thanks to John Bradley, Pedro Felix, Nat Sakimura, Brian Campbell, and Todd Lainhart for their contributions to the creation of the specification.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> -- Mike</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">P.S. This note was also published at <a href="http://self-issued.info/?p=1452">
http://self-issued.info/?p=1452</a> and as <a href="https://twitter.com/selfissued">
@selfissued</a>.</p>
</div>
</div>
</body>
</html>