[Openid-specs-ab] Session management questions

Nat Sakimura sakimura at gmail.com
Fri May 24 21:44:01 UTC 2013 

=nat via iPhone

May 25, 2013 1:58、Mike Jones <Michael.Jones at microsoft.com> のメッセージ:

  You have this deployed now, right?  How is this working in your
deployment?

So you’re suggesting that we use the id_token_hint parameter and pass the
ID Token to the end_session_endpoint?  What do others think of that?


+1


-- Mike

 *From:* Breno de Medeiros
*Sent:* Thursday, May 23, 2013 8:23 PM
*To:* Mike Jones
*Cc:* Naveen Agarwal, openid-specs-ab at lists.openid.net

I think we should use the same approach as in the immediate flow,
i.e., provide a hint about the intended user. In fact I had suggested
the entire id_token be supplied to the OP.

On Thu, May 23, 2013 at 6:48 PM, Mike Jones <Michael.Jones at microsoft.com>
wrote:
> Hi Breno and Naveen,
>
>
>
> (1)  Assume that two users (Alice and Bob) have sessions from the same RP
> logged into to the same OP.  Bob decides to log out.  Per the session
> management spec, Bob is logged out of the RP locally and then the RP
> redirects to the OP’s end_session_endpoint.  Does the OP also log Alice
out
> when Bob consents the logout action or just Bob?  If Alice is not logged
> out, how does the OP know which user to log out?  Through Bob’s cookie?
(I
> think that this is the case, but wanted to verify it.)
>
>
>
> At a minimum, we need to say what is expected to happen in this case in
the
> spec.  It wasn’t clear to some developers reading it recently.
>
>
>
> (2)  In a related question, should we be passing an id_token as a
parameter
> to the logout URL so that the OP knows which session to log out?  Or is
this
> already known, per the answer to (1)?  Would adding this parameter enable
> additional kinds of attacks?
>
>
>
>                                                                 Thanks,
>
>                                                                 -- Mike
>
>



-- 
--Breno

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130525/db8a1984/attachment.html>

More information about the Openid-specs-ab mailing list