[Openid-specs-ab] First full HTML-based logout spec published
Jim des Rivieres
Jim_des_Rivieres at ca.ibm.com
Mon Mar 16 15:33:48 UTC 2015
Here are some comments on draft 00 of OpenID Connect HTTP-Based Logout
1.0.
re: 2. Relying Party Logout Functionality
> Upon receiving the GET, the RP clears state associated with the
logged-in session, including any cookies, and then returns an image and a
HTTP 200 status code.
The RP's response also needs anti-caching headers (Cache-Control:
no-store, Pragma: no-cache) to prevent the user agent from caching the
response. Otherwise caching of one logout response could interfere with
future logouts.
> If the RP supports OpenID Connect Dynamic Client Registration 1.0
[OpenID.Registration], it uses this metadata value to register the logout
URL:
Regardless of whether the RP supports OpenID.Registration, the RP's
registration with the OP needs to include the logout URL,
logout_use_iframe and logout_session_required settings (when OP supports
latter). This makes it awkward to frame this section entirely in terms of
OpenID.Registration. Since a parameter is passed to the logout URL, it
might be clearer to call it the RP's Logout endpoint (cf. OAuth2
Redirection endpoint). Like other OAuth2/OIDC endpoint URIs, the spec
should spell out the restrictions on the endpoint URI; e.g., "The Logout
endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3.
The Logout endpoint URI MAY include an "application/x-www-form-urlencoded"
formatted (per [RFC 6749] Appendix B) query component ([RFC3986] Section
3.4), which MUST be retained when adding additional query parameters. The
Logout endpoint URI MUST NOT include a fragment component."
re: 3. OpenID Provider Logout Functionality
> sid (Session ID) OPTIONAL. String identifier for a Session - a pairing
of an OP to a User Agent or device for a logged-in End-User.
Shouldn't the Session ID bind in the RP as well? If an OP were to use the
same sid value across multiple RPs, it would be easy enough for a naughty
RP to cause another RP2 to logout, with no way for RP2 to defend itself.
Regards,
Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150316/a8ca4a63/attachment.html>
More information about the Openid-specs-ab
mailing list