[Openid-specs-ab] Front Channel Logout URI ?
Justin Richer
jricher at mit.edu
Thu Nov 12 16:49:08 UTC 2015
What's confusing about the current setup?
1) RP sends the user to the IdP's "end_session_endpoint" in the browser.
2) IdP loads a page there that includes IFrames to every active RP's
"logout_uri".
3) IdP then sends a redirect to the original requesting RP's
"post_logout_redirect_uri".
There's nothing in the spec that even hints that the
"end_session_endpoint" page not be rendered, as you hint below. In fact,
the specs speak of multiple interactions including prompting the user
for logout, which would require rendering a page.
In the end, you're about to invent something that already exists, but do
so under a different name so that your software isn't compatible with
anyone else's. I wouldn't recommend that approach.
-- Justin
On 11/12/2015 10:07 AM, Mike Schwartz wrote:
> Mike Jones,
>
> Sorry, this makes no sense to us. We added a new OP Discovery param
> "end_session_page" and are proceeding with that because your solution
> is unworkable.
>
> end_session_endpoint has a post_logout_redirect_uri parameter. This
> endpoint must send a redirect response to the post_logout_redirect_uri
> after logout and NOT return page (with iframe).
>
> - Mike Schwartz
>
>
> -------- Original Message --------
> Subject: Re: Fwd: RE: [Openid-specs-ab] Front Channel Logout URI ?
> Date: 2015-11-03 07:23
> From: yuriy at gluu.org
> To: Mike Schwartz <mike at gluu.org>
>
> I don't understand it.
>
>
>> -------- Original Message --------
>> Subject: RE: [Openid-specs-ab] Front Channel Logout URI ?
>> Date: 2015-11-02 18:32
>> From: Mike Jones <Michael.Jones at microsoft.com>
>> To: Mike Schwartz <mike at gluu.org>, "openid-specs-ab at lists.openid.net"
>> <openid-specs-ab at lists.openid.net>
>>
>> Yes, the end_session_endpoint OP discovery URL can be used by RPs to
>> trigger logout at the OP. This is true for all three of the session
>> management/logout specifications. This functionality is shared
>> between all of them. There's no "differentiation", by design.
>>
>> Answering your specific question, it's up to the OP whether it renders
>> the front channel logout iframes in the page at the location specified
>> by end_session_endpoint OP discovery URL or a different page at an
>> unspecified URL controlled by the OP that it redirects to.
>>
>> -- Mike
>>
>> -----Original Message-----
>> From: Openid-specs-ab
>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike
>> Schwartz
>> Sent: Tuesday, November 03, 2015 3:48 AM
>> To: openid-specs-ab at lists.openid.net
>> Subject: Re: [Openid-specs-ab] Front Channel Logout URI ?
>>
>>
>> Mike Jones,
>>
>> Are you suggesting that the "end_session_endpoint" OP discovery claim
>> would return this page with the iframe(s) in it? If so, how would one
>> differentiate it from the session management API?
>>
>> - Mike
>>
>>
>>> I should have been more specific...
>>>
>>> http://openid.net/specs/openid-connect-logout-1_0.html
>>> mentions that the OP renders <iframe src="logout_uri"> in a **page**
>>>
>>> What is the url of the **page** on the OP? The logout_uri is defined
>>> as a resouce on the RP. How would the RP retrieve this **page**?
>>>
>>> - Mike Schwartz
>>>
>>
>> -------------------------------------
>> Michael Schwartz
>> Gluu
>> Founder / CEO
>> mike at gluu.org
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
More information about the Openid-specs-ab
mailing list