[Openid-specs-ab] About single logout

John Bradley ve7jtb at ve7jtb.com
Thu Sep 1 23:31:45 UTC 2011 

One possibility is having the RP register a logout endpoint with the IdP when they get their client ID.

The IdP could keep the client ID of the active sessions in a browser cookie.  When the user is redirected back to the IdP and elects to logout of all sessions, the IdP would create a per RP logout JWT and post that to the RP's logout endpoint.

The JWT would be signed using the shared secret and have a claim of logout=force or something like that along with the user ID.  The RP would need to be responsible for killing the session cookies in the users browser.

I don't know that you would get enough RP's supporting it, for it to be worthwhile though.  

If the RP logout endpoint is registered then the IdP only needs to worry about the RP that support it.

I will look at your deck.

John B.
On 2011-09-01, at 8:13 PM, Andreas Åkre Solberg wrote:

> After I mentioned single logout use case, it was expressed that keeping state about RP sessions at the OP would be a no-go. Consequently single logout is a no go as well. I don't see any way that could possibly be implemented without the OP keeping states of the live RP sessions.
> 
> If I would spec single logout with openid connect, it probably would include requiring that all entities would be able to lookup the session by a key available in a token (in example id token) rather than just the session cookie; and I would do most of the logout handling back channel.
> 
> I did a presentation on Logout on a conference in Spain two years ago. I'd recommend to look through the slide deck:
> 	http://tnc2009.terena.org/core/getfile2e64.pdf?file_id=341
> it also includes screenshots from the logout solution of ours that I mentioned on the call.
> 
> Andreas
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/8a075f56/attachment.p7s>

More information about the Openid-specs-ab mailing list