[Openid-specs-ab] Front Channel Logout URI ?

Justin Richer jricher at mit.edu
Thu Nov 12 22:36:06 UTC 2015 

So... don’t do that? There was a whole thread here on the list about trying to detect page loads in iframes and other related things, and the end result was that it really needs to be a best effort on your part as the IdP. There’s no good way to guarantee results, you can try to signal and hope for the best. Remember, the user can always just close the browser before even the logout page loads in the first place.

It’s not overloading functionality. It’s the same set of functionality, logout, on one page.

 — Justin

> On Nov 12, 2015, at 5:32 PM, Mike Schwartz <mike at gluu.org> wrote:
> 
> Justin,
> 
> Let's say we redirect with Javascript right after the page loads. The iframe is detached from the parent html, so how do we know if the iframe started to load before we redirect?
> 
> Overloading one endpoint with lots of features seems complex.
> What was the reason for this design?
> 
> - Mike
> 
> 
> 
> On 2015-11-12 10:49, Justin Richer wrote:
>> What's confusing about the current setup?
>> 1) RP sends the user to the IdP's "end_session_endpoint" in the browser.
>> 2) IdP loads a page there that includes IFrames to every active RP's
>> "logout_uri".
>> 3) IdP then sends a redirect to the original requesting RP's
>> "post_logout_redirect_uri".
>> There's nothing in the spec that even hints that the
>> "end_session_endpoint" page not be rendered, as you hint below. In
>> fact, the specs speak of multiple interactions including prompting the
>> user for logout, which would require rendering a page.
>> In the end, you're about to invent something that already exists, but
>> do so under a different name so that your software isn't compatible
>> with anyone else's. I wouldn't recommend that approach.
>> -- Justin
>> On 11/12/2015 10:07 AM, Mike Schwartz wrote:
>>> Mike Jones,
>>> Sorry, this makes no sense to us. We added a new OP Discovery param "end_session_page" and are proceeding with that because your solution is unworkable.
>>> end_session_endpoint has a post_logout_redirect_uri parameter. This endpoint must send a redirect response to the post_logout_redirect_uri after logout and NOT return page (with iframe).
>>> - Mike Schwartz
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list