[Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs
Torsten Lodderstedt
torsten at lodderstedt.net
Thu Aug 25 11:55:37 UTC 2016
Hi Mike,
section 2.2 states "The domain, port, and scheme of this URL MUST be the
same as that of a registered Redirection URI value."
What's the rational for limiting the logout URL that way?
best regards,
Torsten.
Am 24.08.2016 um 03:44 schrieb Mike Jones via Openid-specs-ab:
>
> Session ID definitions in the OpenID Connect front-channel and
> back-channel logout specs have been aligned so that the Session ID
> definition is now the same in both specs. The Session ID is scoped to
> the Issuer in both specs now (whereas it was previously global in
> scope in the front-channel spec). This means that the issuer value
> now needs to be supplied whenever the Session ID is. This doesn’t
> change the simple (no-parameter) front-channel logout messages. The
> back-channel specification is now also aligned with the ID Event Token
> specification.
>
> The new specification versions are:
>
> ·http://openid.net/specs/openid-connect-frontchannel-1_0-01.html
>
> ·http://openid.net/specs/openid-connect-backchannel-1_0-03.html
>
> -- Mike
>
> P.S. This notice was also posted at http://self-issued.info/?p=1599
> <http://self-issued.info/?p=1599> and as @selfissued
> <https://twitter.com/selfissued>.
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160825/8c686741/attachment.html>
More information about the Openid-specs-ab
mailing list