[Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

Brian Campbell bcampbell at pingidentity.com
Wed Aug 24 21:20:58 UTC 2016 

Where would such text go? Core errata? Or?

On Wed, Aug 24, 2016 at 11:53 AM, Mike Jones <Michael.Jones at microsoft.com>
wrote:

> Suggested text capturing these points would be great.
>
>
>
> *From: *Brian Campbell <bcampbell at pingidentity.com>
> *Sent: *Wednesday, August 24, 2016 12:39 PM
> *To: *Thomas Broyer <t.broyer at ltgt.net>
> *Cc: *Mike Jones <Michael.Jones at microsoft.com>; Phil Hunt (IDM)
> <phil.hunt at oracle.com>; openid-specs-ab at lists.openid.net
>
> *Subject: *Re: [Openid-specs-ab] Session ID semantics aligned across
> OpenID Connect front-channel and back-channel logout specs
>
>
> I would say yes, Thomas, but I think the answer will depend on who you ask
> and when.
>
> Typically, in my own experience anyway, the SSO token (like the id token)
> has a relatively short expiration time and is consumed and validated by the
> client/RP once and then that client sets up its own session or security
> context with its own lifetime.
>
> But I think some have used or want to use the id token directly as the
> session token at the client/RP. And doing so might then rely on the exp in
> the id token as the session expiration, which presumably would want a
> larger window.
>
> I don't think the spec(s) explicitly require one approach or the other.
> And, as such, I don't think any of the logout stuff can assume one or the
> other.
>
>
>
>
> On Wed, Aug 24, 2016 at 10:19 AM, Thomas Broyer via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Aren't ID Tokens supposed to have a short expiration time? (I asked twice
>> already over the last 2 years and never got an answer, maybe this time?)
>>
>> On Wed, Aug 24, 2016 at 6:05 PM Mike Jones via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> I found your original logic to be sound.  The ID Token could be reused
>>> with id_token_hint until it expires. Communicating the matching expiration
>>> time in the logout made sense to me – particularly in the no Session ID
>>> case, as John points out.
>>>
>>>
>>>
>>> – Mike
>>>
>>>
>>>
>>> *From: *Phil Hunt (IDM) <phil.hunt at oracle.com>
>>> *Sent: *Wednesday, August 24, 2016 11:45 AM
>>> *To: *Phil Hunt (IDM) <phil.hunt at oracle.com>
>>> *Cc: *Mike Jones <Michael.Jones at microsoft.com>;
>>> openid-specs-ab at lists.openid.net
>>>
>>>
>>> *Subject: *Re: [Openid-specs-ab] Session ID semantics aligned across
>>> OpenID Connect front-channel and back-channel logout specs
>>> Scratch that. Was thinking oauth resource and tokens.
>>>
>>> Not sure the same would exist here.
>>>
>>> Phil
>>>
>>> On Aug 24, 2016, at 8:17 AM, Phil Hunt (IDM) via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>> It may be useful to include the original session expiry time or make the
>>> exp match the original id token. If the service isn't tracking state of
>>> sessions it needs to know for how much longer an id token might show up in
>>> order to keep its revocation list managed over time.
>>>
>>> Phil
>>>
>>> On Aug 24, 2016, at 5:58 AM, Mike Jones via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>> Good catch, Filip.  I’d replaced “exp” (expiration time) with “iat”
>>> (issued at) to align it with the ID Events spec
>>> https://tools.ietf.org/html/draft-hunt-idevent-token-03.  But I’d also
>>> wanted to ask the working group – do we want to retain an explicit
>>> expiration time in the logout token?
>>>
>>>
>>>
>>>                                                        -- Mike
>>>
>>>
>>>
>>> *From:* Filip [mailto:panva.ip at gmail.com <panva.ip at gmail.com>]
>>> *Sent:* Wednesday, August 24, 2016 1:24 AM
>>> *To:* Mike Jones <Michael.Jones at microsoft.com>
>>> *Cc:* openid-specs-ab at lists.openid.net
>>> *Subject:* Re: [Openid-specs-ab] Session ID semantics aligned across
>>> OpenID Connect front-channel and back-channel logout specs
>>>
>>>
>>>
>>> Hello,
>>>
>>>
>>>
>>> reviewing the changes i noticed in Section 2.4 of Backchannel draft 03
>>> the 'exp' claim got removed from Logout Token claims, however section 4
>>> still recomends OPs to use short expiration times for their Logout Tokens.
>>> It is not clear enough if 'exp' should be present or not.
>>>
>>>
>>> Best Regards,
>>> *Filip Skokan*
>>>
>>>
>>>
>>> On Wed, Aug 24, 2016 at 3:44 AM, Mike Jones via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>> Session ID definitions in the OpenID Connect front-channel and
>>> back-channel logout specs have been aligned so that the Session ID
>>> definition is now the same in both specs.  The Session ID is scoped to the
>>> Issuer in both specs now (whereas it was previously global in scope in the
>>> front-channel spec).  This means that the issuer value now needs to be
>>> supplied whenever the Session ID is.  This doesn’t change the simple
>>> (no-parameter) front-channel logout messages.  The back-channel
>>> specification is now also aligned with the ID Event Token specification.
>>>
>>>
>>>
>>> The new specification versions are:
>>>
>>> ·       http://openid.net/specs/openid-connect-frontchannel-1_0-01.html
>>>
>>> ·       http://openid.net/specs/openid-connect-backchannel-1_0-03.html
>>>
>>>
>>>
>>>                                                        -- Mike
>>>
>>>
>>>
>>> P.S.  This notice was also posted at http://self-issued.info/?p=1599
>>> and as @selfissued <https://twitter.com/selfissued>.
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160824/b2b6ab4d/attachment.html>

More information about the Openid-specs-ab mailing list