[Openid-specs-ab] Session management questions
Mike Jones
Michael.Jones at microsoft.com
Fri May 24 16:56:06 UTC 2013
You have this deployed now, right? How is this working in your deployment?
So you’re suggesting that we use the id_token_hint parameter and pass the ID Token to the end_session_endpoint? What do others think of that?
-- Mike
From: Breno de Medeiros
Sent: Thursday, May 23, 2013 8:23 PM
To: Mike Jones
Cc: Naveen Agarwal, openid-specs-ab at lists.openid.net
I think we should use the same approach as in the immediate flow,
i.e., provide a hint about the intended user. In fact I had suggested
the entire id_token be supplied to the OP.
On Thu, May 23, 2013 at 6:48 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Hi Breno and Naveen,
>
>
>
> (1) Assume that two users (Alice and Bob) have sessions from the same RP
> logged into to the same OP. Bob decides to log out. Per the session
> management spec, Bob is logged out of the RP locally and then the RP
> redirects to the OP’s end_session_endpoint. Does the OP also log Alice out
> when Bob consents the logout action or just Bob? If Alice is not logged
> out, how does the OP know which user to log out? Through Bob’s cookie? (I
> think that this is the case, but wanted to verify it.)
>
>
>
> At a minimum, we need to say what is expected to happen in this case in the
> spec. It wasn’t clear to some developers reading it recently.
>
>
>
> (2) In a related question, should we be passing an id_token as a parameter
> to the logout URL so that the OP knows which session to log out? Or is this
> already known, per the answer to (1)? Would adding this parameter enable
> additional kinds of attacks?
>
>
>
> Thanks,
>
> -- Mike
>
>
--
--Breno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130524/ed9ce8d9/attachment.html>
More information about the Openid-specs-ab
mailing list