[Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

Mike Jones Michael.Jones at microsoft.com
Thu Aug 25 13:43:12 UTC 2016 

John, do you remember the rationale for the URL restrictions?  I know that we talked about this as the spec was being written ~1.5 years ago but I don't remember the reasons off the top of my head.

                                                       -- Mike

From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
Sent: Thursday, August 25, 2016 4:56 AM
To: Mike Jones <Michael.Jones at microsoft.com>; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

Hi Mike,

section 2.2 states "The domain, port, and scheme of this URL MUST be the same as that of a registered Redirection URI value."

What's the rational for limiting the logout URL that way?

best regards,
Torsten.
Am 24.08.2016 um 03:44 schrieb Mike Jones via Openid-specs-ab:
Session ID definitions in the OpenID Connect front-channel and back-channel logout specs have been aligned so that the Session ID definition is now the same in both specs.  The Session ID is scoped to the Issuer in both specs now (whereas it was previously global in scope in the front-channel spec).  This means that the issuer value now needs to be supplied whenever the Session ID is.  This doesn't change the simple (no-parameter) front-channel logout messages.  The back-channel specification is now also aligned with the ID Event Token specification.

The new specification versions are:

*       http://openid.net/specs/openid-connect-frontchannel-1_0-01.html

*       http://openid.net/specs/openid-connect-backchannel-1_0-03.html

                                                       -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1599 and as @selfissued<https://twitter.com/selfissued>.




_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160825/67071adc/attachment.html>

More information about the Openid-specs-ab mailing list