[Openid-specs-ab] Back-Channel Logout Token Proposal
William Denniss
wdenniss at google.com
Thu Apr 7 21:46:14 UTC 2016
I had a discussion with Mike, John and Nat about event JWT formats at
IETF95, specifically as they relate to the Back-Channel Logout spec.
Here is an example of what the Back-Channel Logout Token could look like
with an extensible event treatment:
{
"iss": "https://server.example.com",
"aud": "s6BhdRkqt3",
"jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
"sub": "248289761001",
"iat": 1458668180,
"exp": 1458668580,
"events": [
"https://specs.openid.net/logout"
],
"https://specs.openid.net/logout": {
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
}
}
The proposed change is replacing the "logout_only" claim in the current
draft
<http://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken> with
an "events" claim, a list of event type URI references. Each of these event
type URIs is also a claim of its own, containing the event-specific
attributes. The Back-Channel Logout spec would register just 1 event type: "
https://specs.openid.net/logout", and the "sid" attribute would move to the
logout attribute group.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160407/71ab5a70/attachment.html>
More information about the Openid-specs-ab
mailing list