[Openid-specs-ab] Front Channel Logout URI ?

Thomas Broyer t.broyer at gmail.com
Fri Nov 13 17:06:51 UTC 2015 

On Fri, Nov 13, 2015 at 5:55 PM Thomas Broyer <t.broyer at gmail.com> wrote:

> I don't remember the details of that thread mentioned by Justin, but
> "onload" in JS is supposed to fire *after* all iframes have loaded:
> https://jsfiddle.net/1hLovbj1/
> …and the same is supposed to be true of "meta refresh".
>

https://jsfiddle.net/wnudcdhh/2/
(tried in Chrome and Firefox on Linux, and Chrome on Android)


> On Thu, Nov 12, 2015 at 11:42 PM Chuck Mortimore <
> cmortimore at salesforce.com> wrote:
>
>> Register onload events for the child iframes, and fire your redirect once
>> you have confidence or have given up.
>>
>> -cmort
>>
>> On Thu, Nov 12, 2015 at 2:32 PM, Mike Schwartz <mike at gluu.org> wrote:
>>
>>> Justin,
>>>
>>> Let's say we redirect with Javascript right after the page loads. The
>>> iframe is detached from the parent html, so how do we know if the iframe
>>> started to load before we redirect?
>>>
>>> Overloading one endpoint with lots of features seems complex.
>>> What was the reason for this design?
>>>
>>> - Mike
>>>
>>>
>>>
>>> On 2015-11-12 10:49, Justin Richer wrote:
>>>
>>>> What's confusing about the current setup?
>>>>
>>>> 1) RP sends the user to the IdP's "end_session_endpoint" in the browser.
>>>>
>>>> 2) IdP loads a page there that includes IFrames to every active RP's
>>>> "logout_uri".
>>>>
>>>> 3) IdP then sends a redirect to the original requesting RP's
>>>> "post_logout_redirect_uri".
>>>>
>>>> There's nothing in the spec that even hints that the
>>>> "end_session_endpoint" page not be rendered, as you hint below. In
>>>> fact, the specs speak of multiple interactions including prompting the
>>>> user for logout, which would require rendering a page.
>>>>
>>>> In the end, you're about to invent something that already exists, but
>>>> do so under a different name so that your software isn't compatible
>>>> with anyone else's. I wouldn't recommend that approach.
>>>>
>>>>  -- Justin
>>>>
>>>> On 11/12/2015 10:07 AM, Mike Schwartz wrote:
>>>>
>>>>> Mike Jones,
>>>>>
>>>>> Sorry, this makes no sense to us. We added a new OP Discovery param
>>>>> "end_session_page" and are proceeding with that because your solution is
>>>>> unworkable.
>>>>>
>>>>> end_session_endpoint has a post_logout_redirect_uri parameter. This
>>>>> endpoint must send a redirect response to the post_logout_redirect_uri
>>>>> after logout and NOT return page (with iframe).
>>>>>
>>>>> - Mike Schwartz
>>>>>
>>>>>
>>>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20151113/d02367be/attachment.html>

More information about the Openid-specs-ab mailing list