[Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

Thomas Broyer t.broyer at ltgt.net
Thu Aug 25 14:30:01 UTC 2016 

May I suggest a copy-pasta from the frontchannel spec? (where it makes
sense to follow the Web Origin restrictions, in case the
frontchannel_logout_uri uses localStorage/sessionStorage or similar; and
it's stricter than "cookie domains" so it works for cookies too).

BTW, that makes for a good reminder of why a spec should explain the "why"
of its constraints, and not just "do this", "don't do that".

On Thu, Aug 25, 2016 at 3:43 PM Mike Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> John, do you remember the rationale for the URL restrictions?  I know that
> we talked about this as the spec was being written ~1.5 years ago but I
> don’t remember the reasons off the top of my head.
>
>
>
>                                                        -- Mike
>
>
>
> *From:* Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
> *Sent:* Thursday, August 25, 2016 4:56 AM
> *To:* Mike Jones <Michael.Jones at microsoft.com>;
> openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Session ID semantics aligned across
> OpenID Connect front-channel and back-channel logout specs
>
>
>
> Hi Mike,
>
> section 2.2 states "The domain, port, and scheme of this URL MUST be the
> same as that of a registered Redirection URI value."
>
> What's the rational for limiting the logout URL that way?
>
> best regards,
> Torsten.
>
> Am 24.08.2016 um 03:44 schrieb Mike Jones via Openid-specs-ab:
>
> Session ID definitions in the OpenID Connect front-channel and
> back-channel logout specs have been aligned so that the Session ID
> definition is now the same in both specs.  The Session ID is scoped to the
> Issuer in both specs now (whereas it was previously global in scope in the
> front-channel spec).  This means that the issuer value now needs to be
> supplied whenever the Session ID is.  This doesn’t change the simple
> (no-parameter) front-channel logout messages.  The back-channel
> specification is now also aligned with the ID Event Token specification.
>
>
>
> The new specification versions are:
>
> ·       http://openid.net/specs/openid-connect-frontchannel-1_0-01.html
>
> ·       http://openid.net/specs/openid-connect-backchannel-1_0-03.html
>
>
>
>                                                        -- Mike
>
>
>
> P.S.  This notice was also posted at http://self-issued.info/?p=1599 and
> as @selfissued <https://twitter.com/selfissued>.
>
>
>
>
> _______________________________________________
>
> Openid-specs-ab mailing list
>
> Openid-specs-ab at lists.openid.net
>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160825/19c04e4f/attachment.html>

More information about the Openid-specs-ab mailing list