[Openid-specs-ab] Session management questions
Breno de Medeiros
breno at google.com
Fri May 24 03:19:27 UTC 2013
I think we should use the same approach as in the immediate flow,
i.e., provide a hint about the intended user. In fact I had suggested
the entire id_token be supplied to the OP.
On Thu, May 23, 2013 at 6:48 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Hi Breno and Naveen,
>
>
>
> (1) Assume that two users (Alice and Bob) have sessions from the same RP
> logged into to the same OP. Bob decides to log out. Per the session
> management spec, Bob is logged out of the RP locally and then the RP
> redirects to the OP’s end_session_endpoint. Does the OP also log Alice out
> when Bob consents the logout action or just Bob? If Alice is not logged
> out, how does the OP know which user to log out? Through Bob’s cookie? (I
> think that this is the case, but wanted to verify it.)
>
>
>
> At a minimum, we need to say what is expected to happen in this case in the
> spec. It wasn’t clear to some developers reading it recently.
>
>
>
> (2) In a related question, should we be passing an id_token as a parameter
> to the logout URL so that the OP knows which session to log out? Or is this
> already known, per the answer to (1)? Would adding this parameter enable
> additional kinds of attacks?
>
>
>
> Thanks,
>
> -- Mike
>
>
--
--Breno
More information about the Openid-specs-ab
mailing list