[Openid-specs-ab] Back-Channel Logout Token Proposal
Mike Jones
Michael.Jones at microsoft.com
Thu Apr 7 22:03:42 UTC 2016
I’ll note that the “events” syntax below is based on Phil Hunt’s ID Events proposal, which William has been working on with him. See the id-event mailing list for more details. The announcement of the id-event mailing list is at http://www.ietf.org/mail-archive/web/ietf-announce/current/msg14839.html.
-- Mike
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of William Denniss
Sent: Thursday, April 7, 2016 6:46 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Back-Channel Logout Token Proposal
I had a discussion with Mike, John and Nat about event JWT formats at IETF95, specifically as they relate to the Back-Channel Logout spec.
Here is an example of what the Back-Channel Logout Token could look like with an extensible event treatment:
{
"iss": "https://server.example.com",
"aud": "s6BhdRkqt3",
"jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
"sub": "248289761001",
"iat": 1458668180,
"exp": 1458668580,
"events": [
"https://specs.openid.net/logout"
],
"https://specs.openid.net/logout": {
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
}
}
The proposed change is replacing the "logout_only" claim in the current draft<http://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken> with an "events" claim, a list of event type URI references. Each of these event type URIs is also a claim of its own, containing the event-specific attributes. The Back-Channel Logout spec would register just 1 event type: "https://specs.openid.net/logout", and the "sid" attribute would move to the logout attribute group.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160407/6c4f4b94/attachment.html>
More information about the Openid-specs-ab
mailing list