[Openid-specs-ab] OpenID Connect Logout using HTTP GET

[Mike Jones]

It never seems to fail - you send something out then you immediately realize what's wrong with it. ;-)  In this case, I realized that the "sid" (Session ID) isn't sufficient, in general, for the RP to identify the session that the logout request pertains to, since the "sid" is issuer-specific (just like "sub" is).  The RP also needs to know the issuer.  The most straightforward way to provide this is probably also having an "iss=issuer" query parameter for the logout request to the RP, in addition to the "sid=sessionID" query parameter.

Comments?

                                                                -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Friday, February 20, 2015 4:37 PM
To: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET

A third iteration of the proposed OpenID Connect spec on logout using HTTP GET is attached.  (It's now a two-pager.) This incorporates the results of the useful discussion on Thursday's call.  Keep those cards and letters coming!

Changes were:

*         Replaced the optional id_token parameter with an optional sid (Session ID) parameter.

*         Enabled the use of iframes with nested images or iframes to achieve downstream logouts.

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150221/b93daeb5/attachment.html>