[Openid-specs-ab] About single logout
Breno de Medeiros
breno at google.com
Fri Sep 2 00:15:56 UTC 2011
Yes, Google is interested in supporting single sign-out in this push
model as well. I think it should be optional feature support, however.
I will read your slides.
On Thu, Sep 1, 2011 at 16:31, John Bradley <ve7jtb at ve7jtb.com> wrote:
> One possibility is having the RP register a logout endpoint with the IdP when they get their client ID.
>
> The IdP could keep the client ID of the active sessions in a browser cookie. When the user is redirected back to the IdP and elects to logout of all sessions, the IdP would create a per RP logout JWT and post that to the RP's logout endpoint.
>
> The JWT would be signed using the shared secret and have a claim of logout=force or something like that along with the user ID. The RP would need to be responsible for killing the session cookies in the users browser.
>
> I don't know that you would get enough RP's supporting it, for it to be worthwhile though.
>
> If the RP logout endpoint is registered then the IdP only needs to worry about the RP that support it.
>
> I will look at your deck.
>
> John B.
> On 2011-09-01, at 8:13 PM, Andreas Åkre Solberg wrote:
>
>> After I mentioned single logout use case, it was expressed that keeping state about RP sessions at the OP would be a no-go. Consequently single logout is a no go as well. I don't see any way that could possibly be implemented without the OP keeping states of the live RP sessions.
>>
>> If I would spec single logout with openid connect, it probably would include requiring that all entities would be able to lookup the session by a key available in a token (in example id token) rather than just the session cookie; and I would do most of the logout handling back channel.
>>
>> I did a presentation on Logout on a conference in Spain two years ago. I'd recommend to look through the slide deck:
>> http://tnc2009.terena.org/core/getfile2e64.pdf?file_id=341
>> it also includes screenshots from the logout solution of ours that I mentioned on the call.
>>
>> Andreas
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
--
--Breno
More information about the Openid-specs-ab
mailing list