[Openid-specs-ab] Session management questions

[Mike Jones]

Hi Breno and Naveen,

(1)  Assume that two users (Alice and Bob) have sessions from the same RP logged into to the same OP.  Bob decides to log out.  Per the session management spec, Bob is logged out of the RP locally and then the RP redirects to the OP's end_session_endpoint.  Does the OP also log Alice out when Bob consents the logout action or just Bob?  If Alice is not logged out, how does the OP know which user to log out?  Through Bob's cookie?  (I think that this is the case, but wanted to verify it.)

At a minimum, we need to say what is expected to happen in this case in the spec.  It wasn't clear to some developers reading it recently.

(2)  In a related question, should we be passing an id_token as a parameter to the logout URL so that the OP knows which session to log out?  Or is this already known, per the answer to (1)?  Would adding this parameter enable additional kinds of attacks?

                                                                Thanks,
                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130524/ebc67675/attachment.html>