[Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs
John Bradley
ve7jtb at ve7jtb.com
Wed Aug 24 13:55:21 UTC 2016
In the event that sid is not present then an expiration time may be a good idea. I don’t think it is required if the sid is specified.
> On Aug 24, 2016, at 9:58 AM, Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
> Good catch, Filip. I’d replaced “exp” (expiration time) with “iat” (issued at) to align it with the ID Events spec https://tools.ietf.org/html/draft-hunt-idevent-token-03 <https://tools.ietf.org/html/draft-hunt-idevent-token-03>. But I’d also wanted to ask the working group – do we want to retain an explicit expiration time in the logout token?
>
> -- Mike
> <>
> From: Filip [mailto:panva.ip at gmail.com <mailto:panva.ip at gmail.com>]
> Sent: Wednesday, August 24, 2016 1:24 AM
> To: Mike Jones <Michael.Jones at microsoft.com <mailto:Michael.Jones at microsoft.com>>
> Cc: openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>
> Subject: Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs
>
> Hello,
>
> reviewing the changes i noticed in Section 2.4 of Backchannel draft 03 the 'exp' claim got removed from Logout Token claims, however section 4 still recomends OPs to use short expiration times for their Logout Tokens. It is not clear enough if 'exp' should be present or not.
>
> Best Regards,
> Filip Skokan
>
> On Wed, Aug 24, 2016 at 3:44 AM, Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> Session ID definitions in the OpenID Connect front-channel and back-channel logout specs have been aligned so that the Session ID definition is now the same in both specs. The Session ID is scoped to the Issuer in both specs now (whereas it was previously global in scope in the front-channel spec). This means that the issuer value now needs to be supplied whenever the Session ID is. This doesn’t change the simple (no-parameter) front-channel logout messages. The back-channel specification is now also aligned with the ID Event Token specification.
>
> The new specification versions are:
> · http://openid.net/specs/openid-connect-frontchannel-1_0-01.html <http://openid.net/specs/openid-connect-frontchannel-1_0-01.html>
> · http://openid.net/specs/openid-connect-backchannel-1_0-03.html <http://openid.net/specs/openid-connect-backchannel-1_0-03.html>
>
> -- Mike
>
> P.S. This notice was also posted at http://self-issued.info/?p=1599 <http://self-issued.info/?p=1599> and as @selfissued <https://twitter.com/selfissued>.
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160824/3d786edf/attachment.html>
More information about the Openid-specs-ab
mailing list