[Openid-specs-ab] Front Channel Logout URI ?
Mike Schwartz
mike at gluu.org
Thu Nov 12 22:32:59 UTC 2015
Justin,
Let's say we redirect with Javascript right after the page loads. The
iframe is detached from the parent html, so how do we know if the iframe
started to load before we redirect?
Overloading one endpoint with lots of features seems complex.
What was the reason for this design?
- Mike
On 2015-11-12 10:49, Justin Richer wrote:
> What's confusing about the current setup?
>
> 1) RP sends the user to the IdP's "end_session_endpoint" in the
> browser.
>
> 2) IdP loads a page there that includes IFrames to every active RP's
> "logout_uri".
>
> 3) IdP then sends a redirect to the original requesting RP's
> "post_logout_redirect_uri".
>
> There's nothing in the spec that even hints that the
> "end_session_endpoint" page not be rendered, as you hint below. In
> fact, the specs speak of multiple interactions including prompting the
> user for logout, which would require rendering a page.
>
> In the end, you're about to invent something that already exists, but
> do so under a different name so that your software isn't compatible
> with anyone else's. I wouldn't recommend that approach.
>
> -- Justin
>
> On 11/12/2015 10:07 AM, Mike Schwartz wrote:
>> Mike Jones,
>>
>> Sorry, this makes no sense to us. We added a new OP Discovery param
>> "end_session_page" and are proceeding with that because your solution
>> is unworkable.
>>
>> end_session_endpoint has a post_logout_redirect_uri parameter. This
>> endpoint must send a redirect response to the post_logout_redirect_uri
>> after logout and NOT return page (with iframe).
>>
>> - Mike Schwartz
>>
>>
More information about the Openid-specs-ab
mailing list