[Openid-specs-ab] Session management questions

John Bradley ve7jtb at ve7jtb.com
Fri May 24 21:57:50 UTC 2013 

Passing the id_token to the end session  endpoint lets the IdP validate who is trying to end the session.  That may be important in some cases.  Sending the whole thing as long as it unencrypted is best.

John B.
On 2013-05-24, at 12:56 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> You have this deployed now, right?  How is this working in your deployment?
>  
> So you’re suggesting that we use the id_token_hint parameter and pass the ID Token to the end_session_endpoint?  What do others think of that?
>  
> -- Mike
>  
> From: Breno de Medeiros
> Sent: ‎Thursday‎, ‎May‎ ‎23‎, ‎2013 ‎8‎:‎23‎ ‎PM
> To: Mike Jones
> Cc: Naveen Agarwal, openid-specs-ab at lists.openid.net
>  
> I think we should use the same approach as in the immediate flow,
> i.e., provide a hint about the intended user. In fact I had suggested
> the entire id_token be supplied to the OP.
> 
> On Thu, May 23, 2013 at 6:48 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> > Hi Breno and Naveen,
> >
> >
> >
> > (1)  Assume that two users (Alice and Bob) have sessions from the same RP
> > logged into to the same OP.  Bob decides to log out.  Per the session
> > management spec, Bob is logged out of the RP locally and then the RP
> > redirects to the OP’s end_session_endpoint.  Does the OP also log Alice out
> > when Bob consents the logout action or just Bob?  If Alice is not logged
> > out, how does the OP know which user to log out?  Through Bob’s cookie?  (I
> > think that this is the case, but wanted to verify it.)
> >
> >
> >
> > At a minimum, we need to say what is expected to happen in this case in the
> > spec.  It wasn’t clear to some developers reading it recently.
> >
> >
> >
> > (2)  In a related question, should we be passing an id_token as a parameter
> > to the logout URL so that the OP knows which session to log out?  Or is this
> > already known, per the answer to (1)?  Would adding this parameter enable
> > additional kinds of attacks?
> >
> >
> >
> >                                                                 Thanks,
> >
> >                                                                 -- Mike
> >
> >
> 
> 
> 
> -- 
> --Breno
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130524/06c4de13/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130524/06c4de13/attachment.p7s>

More information about the Openid-specs-ab mailing list