[Openid-specs-ab] Session Management discussion at EIC.
Nat Sakimura
sakimura at gmail.com
Tue May 13 10:49:05 UTC 2014
Session Management discussion at EIC.
The "Note Well" was sited before starting the session at 12:15.
Mike explained the pros and cons of the three approaches:
#1. postMessage 0
#2. image/iframe GETs 8
#3. backchannel 11
Then, wento on to ask the questions to the room:
Q1. If you have only one of the below, which one would you choose?
#1. postMessage 0
#2. image/iframe GETs 8
#3. backchannel 11
Reasons for preferring #3 : Backchannel:
l Only the mechanism to guarantee the logout.
l Session sync between IdP and SP possible only in this.
l Can administratively logout users from SP.
Reasons for preferring #2: image/iframe GETs.
l Cheapest option. Backchannel requires change in the SPs, and implement
it correctly can be hard.
To find out why there were nobody who preferred #1, John Bradley asked the
room:
Q. Is there anybody who supports AJAX client?
Only 1.
Then, it was pointed out from the floor that approach #1 requires all the
clients to have the code and excludes the possibility of having another
security layer such as a proxy.
One "Con" of the Backchannel method was sited after the session was over:
If the SP is not directly reachable from the IdP, it does not work.
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140513/86c9e0eb/attachment.html>
More information about the Openid-specs-ab
mailing list