[Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs
Torsten Lodderstedt
torsten at lodderstedt.net
Fri Aug 26 09:57:52 UTC 2016
I suggest to remove this constraint from the spec.
Am 25.08.2016 um 16:30 schrieb Thomas Broyer:
> May I suggest a copy-pasta from the frontchannel spec? (where it makes
> sense to follow the Web Origin restrictions, in case the
> frontchannel_logout_uri uses localStorage/sessionStorage or similar;
> and it's stricter than "cookie domains" so it works for cookies too).
>
> BTW, that makes for a good reminder of why a spec should explain the
> "why" of its constraints, and not just "do this", "don't do that".
>
> On Thu, Aug 25, 2016 at 3:43 PM Mike Jones via Openid-specs-ab
> <openid-specs-ab at lists.openid.net
> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
> John, do you remember the rationale for the URL restrictions? I
> know that we talked about this as the spec was being written ~1.5
> years ago but I don’t remember the reasons off the top of my head.
>
> -- Mike
>
> *From:*Torsten Lodderstedt [mailto:torsten at lodderstedt.net
> <mailto:torsten at lodderstedt.net>]
> *Sent:* Thursday, August 25, 2016 4:56 AM
> *To:* Mike Jones <Michael.Jones at microsoft.com
> <mailto:Michael.Jones at microsoft.com>>;
> openid-specs-ab at lists.openid.net
> <mailto:openid-specs-ab at lists.openid.net>
> *Subject:* Re: [Openid-specs-ab] Session ID semantics aligned
> across OpenID Connect front-channel and back-channel logout specs
>
> Hi Mike,
>
> section 2.2 states "The domain, port, and scheme of this URL MUST
> be the same as that of a registered Redirection URI value."
>
> What's the rational for limiting the logout URL that way?
>
> best regards,
> Torsten.
>
> Am 24.08.2016 um 03:44 schrieb Mike Jones via Openid-specs-ab:
>
> Session ID definitions in the OpenID Connect front-channel and
> back-channel logout specs have been aligned so that the
> Session ID definition is now the same in both specs. The
> Session ID is scoped to the Issuer in both specs now (whereas
> it was previously global in scope in the front-channel spec).
> This means that the issuer value now needs to be supplied
> whenever the Session ID is. This doesn’t change the simple
> (no-parameter) front-channel logout messages. The
> back-channel specification is now also aligned with the ID
> Event Token specification.
>
> The new specification versions are:
>
> ·http://openid.net/specs/openid-connect-frontchannel-1_0-01.html
>
> ·http://openid.net/specs/openid-connect-backchannel-1_0-03.html
>
> -- Mike
>
> P.S. This notice was also posted at
> http://self-issued.info/?p=1599
> <http://self-issued.info/?p=1599> and as @selfissued
> <https://twitter.com/selfissued>.
>
>
>
>
> _______________________________________________
>
> Openid-specs-ab mailing list
>
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160826/626f159d/attachment.html>
More information about the Openid-specs-ab
mailing list