[Openid-specs-ab] Back-Channel Logout Token Proposal
Anthony Nadalin
tonynad at microsoft.com
Sat Apr 9 22:10:28 UTC 2016
Worried about
1. Timestamps
2. Event versioning
3. Schema for the actual event
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of William Denniss
Sent: Friday, April 8, 2016 8:11 AM
To: Mike Jones <Michael.Jones at microsoft.com>
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Back-Channel Logout Token Proposal
Thanks for pointing this out Mike, that's correct.
Thinking a little more about this, we probably keep the session-id claim ("sid") as a standard JWT claim, as it is useful in many places (e.g. ID Tokens), so perhaps a better logout token format would be:
{
"iss": "https://server.example.com<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fserver.example.com&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aUQzmwc6oZB9Prj%2b3uGevJHxpLAyruxvsI17RCuOViw%3d>",
"aud": "s6BhdRkqt3",
"jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
"sub": "248289761001",
"iat": 1458668180,
"exp": 1458668580,
"events": [
"https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>"
],
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
}
If we had additional standard logout-specific attributes we could put them in the "https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>" claim as per my previous example, but for simple events like this, that attribute dictionary may not be needed.
Effectivly the delta would then just be replacing "logout_only":"true", with "events": [
"https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>"
],
On Thu, Apr 7, 2016 at 7:03 PM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
I’ll note that the “events” syntax below is based on Phil Hunt’s ID Events proposal, which William has been working on with him. See the id-event mailing list for more details. The announcement of the id-event mailing list is at http://www.ietf.org/mail-archive/web/ietf-announce/current/msg14839.html<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2fietf-announce%2fcurrent%2fmsg14839.html&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=KxLkDmjsLgMc6u3lPoOiAPv9KZrOkwCymWQ4PLoQ6oc%3d>.
-- Mike
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of William Denniss
Sent: Thursday, April 7, 2016 6:46 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] Back-Channel Logout Token Proposal
I had a discussion with Mike, John and Nat about event JWT formats at IETF95, specifically as they relate to the Back-Channel Logout spec.
Here is an example of what the Back-Channel Logout Token could look like with an extensible event treatment:
{
"iss": "https://server.example.com<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fserver.example.com&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aUQzmwc6oZB9Prj%2b3uGevJHxpLAyruxvsI17RCuOViw%3d>",
"aud": "s6BhdRkqt3",
"jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
"sub": "248289761001",
"iat": 1458668180,
"exp": 1458668580,
"events": [
"https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>"
],
"https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>": {
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
}
}
The proposed change is replacing the "logout_only" claim in the current draft<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fopenid.net%2fspecs%2fopenid-connect-backchannel-1_0.html%23LogoutToken&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gt5SQ0QUDgvHS8FNda%2fa036Z4fLrN12pQ8ntuTXFXh4%3d> with an "events" claim, a list of event type URI references. Each of these event type URIs is also a claim of its own, containing the event-specific attributes. The Back-Channel Logout spec would register just 1 event type: "https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>", and the "sid" attribute would move to the logout attribute group.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160409/4a319a93/attachment.html>
More information about the Openid-specs-ab
mailing list