<div dir="ltr">Not that I know off the top of my head<div><br><div><div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt"><table style="border:none;border-collapse:collapse"><colgroup><col width="198"><col width="402"></colgroup><tbody><tr style="height:103pt"><td style="vertical-align:top;padding:5pt"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><img src="https://lh6.googleusercontent.com/jlaP8D2tHfXHmrx3_mmnA58N-I73hYMU3-salgha0iJ4iPs-QSWh2aD42e3Z1lRnLOwFKI8Gj40xuTty9BfRiePIaQyUQANEXAK5ITUIBrwH8V4DtOQ8EEDGFLqo6fe9hY1b-KJQ" width="167" height="83" style="border:none"></span></p></td><td style="vertical-align:top;padding:5pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:14pt;font-family:Lato,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Florian Forster</span></p><p dir="ltr" style="line-height:1.8;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;color:rgb(153,153,153);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">H e a d o f C A O S</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Phone: +41 79 956 39 01</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Web: </span><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#000000"> <a href="http://www.caos.ch" target="_blank">www.caos.ch</a></font></span></p></td></tr></tbody></table></div></span></div></div></div></div></div></div></div><br></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 30 Apr 2020 at 10:23, Aeneas Rekkas <aeneas@ory.sh> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Yup exactly! I think LDAP is a pretty good example for this flow. Because not everyone uses LDAP or has audit logs for that I was wondering if there’s any specification or guidance around that.<div><br></div><div>Thank you!<br><div><div><br><blockquote type="cite"><div>Am 30.04.2020 um 10:21 schrieb Florian Forster <<a href="mailto:florian@caos.ch" target="_blank">florian@caos.ch</a>>:</div><br><div><div dir="ltr"><div dir="ltr">I think I now understand your question.<div><br></div><div>So you are asking about the idp -> op (oidc facade) "trigger" and not about the op -> rp integration (OIDC Backchannel logout)[1], right?</div><div>I am not aware of a definition / standard for the idp -> op part, others might be :-)</div><div><br></div><div>Most systems I know use specific integrations corresponding to the idp capabilities, e.g with LDAP they tail the audit log for changes or have scheduled queries.</div><div><br></div><div>1: <a href="https://openid.net/specs/openid-connect-backchannel-1_0.html" target="_blank">https://openid.net/specs/openid-connect-backchannel-1_0.html</a><br clear="all"><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span><br><div dir="ltr" style="margin-left:0pt"><table style="border:none;border-collapse:collapse"><colgroup><col width="198"><col width="402"></colgroup><tbody><tr style="height:103pt"><td style="vertical-align:top;padding:5pt"><div style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><img src="https://lh6.googleusercontent.com/jlaP8D2tHfXHmrx3_mmnA58N-I73hYMU3-salgha0iJ4iPs-QSWh2aD42e3Z1lRnLOwFKI8Gj40xuTty9BfRiePIaQyUQANEXAK5ITUIBrwH8V4DtOQ8EEDGFLqo6fe9hY1b-KJQ" width="167" height="83" style="border: none;"></span></div></td><td style="vertical-align:top;padding:5pt"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:14pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Florian Forster</span></div><div style="line-height:1.8;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;color:rgb(153,153,153);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">H e a d o f C A O S</span></div><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Phone: +41 79 956 39 01</span></div><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Web: </span><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font> <a href="http://www.caos.ch/" target="_blank">www.caos.ch</a></font></span></div></td></tr></tbody></table></div></span></div></div></div></div></div></div></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 30 Apr 2020 at 09:31, Aeneas Rekkas <<a href="mailto:aeneas@ory.sh" target="_blank">aeneas@ory.sh</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Hi Florian,<div><br></div><div>thank you for the responses!</div><div><br></div><div>> I think most times this happens, it is directly at the OP (or at least it's storage) so is this really a use-case for OP initiated Back-channel Logout? The OP can in this case decide by itself to cancel sessions and trigger RP's about this. Maybe you can elaborate in which setup you find this case.</div><div><br></div><div>Depends on the implementation of the OP. For ORY Hydra or CoreOS Dex, which are more or less „OpenID OP Proxies“ this would not be at the OP directly, but instead at the IdP (the actual user database that implements signup, account reovery et al). Since OIDC does not specify anything regarding user registration and other basic flows I would assume that this is an intended operational model. For example when having an existing user system and wanting to add OIDC support. In that case the original user system would do the password change, and the „OIDC support“ would need to be notified of that change in order to trigger a logout, which in turn triggers OIDC Backchannel Logout. My question is if there’s any guidance (e.g. API wise or security wise „don’t do this and that!!!“) around that.</div><div><br></div><div>Hope this clarifies my question!</div><div><br><div><br><blockquote type="cite"><div>Am 29.04.2020 um 20:09 schrieb Florian Forster <<a href="mailto:florian@caos.ch" target="_blank">florian@caos.ch</a>>:</div><br><div><div><div dir="auto">Me again</div><div dir="auto"><br></div><div dir="auto">I think I took a wrong turn interpreting your email on my phone :-)</div></div><div dir="auto"><br></div><div dir="auto">If I understand you correctly you search more or less this one<br></div><div dir="auto">-> <div><a href="https://openid.net/specs/openid-connect-backchannel-1_0.html" target="_blank">https://openid.net/specs/openid-connect-backchannel-1_0.html</a></div></div><div dir="auto"><br></div><div><div dir="auto">Which basically defines a URL Endpoint within the RP where the OP can send a JWT. Is it in your use-case a problem for the OP to track the clients on which RP they did sign-in?</div><div dir="auto"><br></div><div dir="auto">Greets</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 29 Apr 2020 at 17:17, Florian Forster <<a href="mailto:florian@caos.ch" target="_blank">florian@caos.ch</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Aeneas</div><div dir="ltr"><br></div><div dir="ltr">Below some questions/answers. Maybe I did not fully get your idea :-) <br><div><br></div><div>...when the user changes his/her password.</div><div>> I think most times this happens, it is directly at the OP (or at least it's storage) so is this really a use-case for OP initiated Back-channel Logout? The OP can in this case decide by itself to cancel sessions and trigger RP's about this. Maybe you can elaborate in which setup you find this case.</div><div><br></div><div>...banned by an administrator which in turn should trigger OIDC Back-Channel Logout.</div><div>> Is the user banned from the RP or the OP? Because, if it is a Identity-Lifecycle thing, where the user is completely locked I find services like SCIM 2.0 the proper tool. After an account deactivation we could do the same as my answer above states.</div><div><br></div><div>Greetings Florian</div><div><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span><br><div dir="ltr" style="margin-left:0pt"><table style="border:none;border-collapse:collapse"><colgroup><col width="198"><col width="402"></colgroup><tbody><tr style="height:103pt"><td style="vertical-align:top;padding:5pt"><div style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><img src="https://lh6.googleusercontent.com/jlaP8D2tHfXHmrx3_mmnA58N-I73hYMU3-salgha0iJ4iPs-QSWh2aD42e3Z1lRnLOwFKI8Gj40xuTty9BfRiePIaQyUQANEXAK5ITUIBrwH8V4DtOQ8EEDGFLqo6fe9hY1b-KJQ" width="167" height="83" style="border: none;"></span></div></td><td style="vertical-align:top;padding:5pt"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:14pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Florian Forster</span></div><div style="line-height:1.8;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;color:rgb(153,153,153);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">H e a d o f C A O S</span></div><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Phone: +41 79 956 39 01</span></div><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Web: </span><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font> <a href="http://www.caos.ch/" target="_blank">www.caos.ch</a></font></span></div></td></tr></tbody></table></div></span></div></div></div></div></div></div></div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 25 Apr 2020 at 13:25, Aeneas Rekkas <<a href="mailto:aeneas@ory.sh" target="_blank">aeneas@ory.sh</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Hi,<div><br></div><div>we ( <a href="https://github.com/ory/hydra" target="_blank">https://github.com/ory/hydra</a> ) are receiving use cases for an OP-Initiated that does not involve the user’s browser and cookies. A use case might be that we want to perform Back-Channel Logout when the user changes his/her password. Another example would be that a user is banned by an administrator which in turn should trigger OIDC Back-Channel Logout. Is there any guidance on how this should be designed/implemented? Maybe even with an API Spec?</div><div><br></div><div>Best</div><div>Aeneas</div></div>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</blockquote></div>
</blockquote></div></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span><br><div dir="ltr" style="margin-left:0pt"><table style="border:none;border-collapse:collapse"><colgroup><col width="198"><col width="402"></colgroup><tbody><tr style="height:103pt"><td style="vertical-align:top;padding:5pt"><div style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><img src="https://lh6.googleusercontent.com/jlaP8D2tHfXHmrx3_mmnA58N-I73hYMU3-salgha0iJ4iPs-QSWh2aD42e3Z1lRnLOwFKI8Gj40xuTty9BfRiePIaQyUQANEXAK5ITUIBrwH8V4DtOQ8EEDGFLqo6fe9hY1b-KJQ" width="167" height="83" style="border: none;"></span></div></td><td style="vertical-align:top;padding:5pt"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:14pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Florian Forster</span></div><div style="line-height:1.8;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;color:rgb(153,153,153);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">H e a d o f C A O S</span></div><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Phone: +41 79 956 39 01</span></div><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Web: </span><span style="font-size:10pt;font-family:Lato,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font> <a href="http://www.caos.ch/" target="_blank">www.caos.ch</a></font></span></div></td></tr></tbody></table></div></span></div></div></div></div></div></div>
</div></blockquote></div><br></div></div></blockquote></div>
</div></blockquote></div><br></div></div></div></blockquote></div>