[Openid-specs-ab] Session Management / Logout Discussion at IIW 6-May-14
Mike Jones
Michael.Jones at microsoft.com
Wed May 7 00:52:18 UTC 2014
Session Management / Logout Discussion at IIW 6-May-14
Back channel logout
Multiple RP sessions might be logged in at once
OP doesn't have session identifiers
Torsten - back channel logout has been shown to cause problems
Chuck - the session-based SAML logout doesn't work well and isn't supported
Brian - requiring JavaScript on every page a non-starter in enterprise contexts
Alan Karp - Better UI could help users better understand what's actually going on
John - one requirement can be extending session lifetimes across sessions
Chuck - The only session state typically present is the session cookie
Brian - SAML has fragile redirect chain
Another means is for the IdP to do a GET to each RP endpoint
Ping is currently implementing something like that
Naveen - Unless the browser tab is active, the JavaScript logout doesn't work
Naveen - Yahoo had a variant where they stored state for all sessions in a single cookie
Brian - Doing GETs to single-pixel images, which trigger logouts
John - The RP could check the referer if it wants to secure the logout
But in general, not protectable against XSRF
Chuck - Browsers are getting better about preventing cookie state manipulation in iframes
Torsten - Will check what DT is doing
John - ID Token "exp" claim doesn't trigger logout in practice
Naveen - We could just document both front channel mechanisms as optional
Enterprises might choose one method, the Web might choose another
We should document both as a next step
Mike - If we support multiple mechanisms, the RPs would get to decide
John - Back channel notification is yet a third mechanism
David Pinter - The front channel won't always be available
Bill Mills - Security policy may require ability to kill all sessions
John - A compromise back channel mechanism is notifying RPs on the back channel of a state change
Mechanisms:
postMessage:
Pro: RPs get notifications, minimal web traffic
Con: Requires RP JavaScript
Doesn't work when RP tab not active
image/iframe GETs:
Pro: Doesn't require JavaScript
Still uses session cookies
Con: IdP needs to track active RP sessions
Ugly logout page
All RPs might not be notified before the browser is closed
backchannel notifications:
Pro: Works even when RP tab not active
Con: Requires RP logic to identify and communicate with session to logout
IdP scaling issues
Chuck - Current spec doesn't work for enterprise use cases because of JavaScript requirement
and because the RP must be active for the logout to work
Chuck - We didn't put "jti" in the ID Token - we could for enabling logout
That would enable correlating back channel notifications received to active sessions
Open questions about whether to use the same ID in multiple responses to same RP
Probably use a separate session identifier that is not "jti"
Dale - Back channel notification is effectively ID Token revocation
Chuck - The OP wants to be authoritative for the session ID
Chuck - Revoking a session could be done like an OAuth revocation
OAuth revocation supports CORS and JSONP
Actions:
Add image/iframe description to Session Management
Also describe back channel mechanism
Then we decide what to do after that
Naveen, Breno - Google is planning to build a token caching layer
It would get tokens at login time and clear them at logout
It would send notifications when things change
It would communicate internally with postMessage
postMessage requires a security layer
George - How is this like the Trusted Agent in the Native Applications work?
Naveen - It's a lot like that
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140507/d53a11a7/attachment.html>
More information about the Openid-specs-ab
mailing list