[Openid-specs-ab] Issue #922: Session cleanup via back-channel (openid/connect)
Pedro Félix
issues-reply at bitbucket.org
Thu Mar 13 15:47:46 UTC 2014
New issue 922: Session cleanup via back-channel
https://bitbucket.org/openid/connect/issue/922/session-cleanup-via-back-channel
Pedro Félix:
I've a scenario where a OIDC OP is acting as a bridge between upstream IdPs using non-OIDC protocols (e.g Shibboleth) and downstream RPs using OIDC.
In this scenario I have the following requirements
1. The upstream IdP notifies the OP of a session termination via back-channel
2. The OP needs to propagate this cleanup notification to the downstream RPs, also via back-channel (a back-channel to front-channel transition is not possible)
OIDC should define an optional mechanism to perform this type of IdP-initiated cleanup via back-channel. From, the RP viewpoint, the requirements are:
* correctly identify the originator of the request - the OP
* correctly identify the destination of the request - itself
* correctly identify the session's subject
An option would be for the OP to make a request to a "cleanup endpoint" using a bearer JWT with:
* "iss" set to the OP issuer claim
* "aud" set to the RP's client_id
* "sub" set to the user's unique claim
* "nbf" and "exp" defining a rather short interval, to avoid replays
More information about the Openid-specs-ab
mailing list