[Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

Torsten Lodderstedt torsten at lodderstedt.net
Wed Nov 16 02:46:35 UTC 2016 

Hi all,

any development regarding this topic? I still consider this requirement 
is not needed.

best regards,
Torsten.

Am 27.08.2016 um 02:06 schrieb Mike Jones:
>
> I’m sympathetic to removing it but I’d like to first understand, if 
> possible, why we included the constraint in the first place.  (Thomas 
> may be right that it was copied from the front-channel logout spec, 
> but there may still have been reasons for doing so.)  John?  Anyone else?
>
> -- Mike
>
> *From:*Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
> *Sent:* Friday, August 26, 2016 2:58 AM
> *To:* Thomas Broyer <t.broyer at ltgt.net>; Mike Jones 
> <Michael.Jones at microsoft.com>; openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Session ID semantics aligned across 
> OpenID Connect front-channel and back-channel logout specs
>
> I suggest to remove this constraint from the spec.
>
> Am 25.08.2016 um 16:30 schrieb Thomas Broyer:
>
>     May I suggest a copy-pasta from the frontchannel spec? (where it
>     makes sense to follow the Web Origin restrictions, in case the
>     frontchannel_logout_uri uses localStorage/sessionStorage or
>     similar; and it's stricter than "cookie domains" so it works for
>     cookies too).
>
>     BTW, that makes for a good reminder of why a spec should explain
>     the "why" of its constraints, and not just "do this", "don't do that".
>
>     On Thu, Aug 25, 2016 at 3:43 PM Mike Jones via Openid-specs-ab
>     <openid-specs-ab at lists.openid.net
>     <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
>         John, do you remember the rationale for the URL restrictions? 
>         I know that we talked about this as the spec was being written
>         ~1.5 years ago but I don’t remember the reasons off the top of
>         my head.
>
>         -- Mike
>
>         *From:*Torsten Lodderstedt [mailto:torsten at lodderstedt.net
>         <mailto:torsten at lodderstedt.net>]
>         *Sent:* Thursday, August 25, 2016 4:56 AM
>         *To:* Mike Jones <Michael.Jones at microsoft.com
>         <mailto:Michael.Jones at microsoft.com>>;
>         openid-specs-ab at lists.openid.net
>         <mailto:openid-specs-ab at lists.openid.net>
>         *Subject:* Re: [Openid-specs-ab] Session ID semantics aligned
>         across OpenID Connect front-channel and back-channel logout specs
>
>         Hi Mike,
>
>         section 2.2 states "The domain, port, and scheme of this URL
>         MUST be the same as that of a registered Redirection URI value."
>
>         What's the rational for limiting the logout URL that way?
>
>         best regards,
>         Torsten.
>
>         Am 24.08.2016 um 03:44 schrieb Mike Jones via Openid-specs-ab:
>
>             Session ID definitions in the OpenID Connect front-channel
>             and back-channel logout specs have been aligned so that
>             the Session ID definition is now the same in both specs. 
>             The Session ID is scoped to the Issuer in both specs now
>             (whereas it was previously global in scope in the
>             front-channel spec).  This means that the issuer value now
>             needs to be supplied whenever the Session ID is.  This
>             doesn’t change the simple (no-parameter) front-channel
>             logout messages.  The back-channel specification is now
>             also aligned with the ID Event Token specification.
>
>             The new specification versions are:
>
>             ·http://openid.net/specs/openid-connect-frontchannel-1_0-01.html
>
>             ·http://openid.net/specs/openid-connect-backchannel-1_0-03.html
>
>             -- Mike
>
>             P.S. This notice was also posted at
>             http://self-issued.info/?p=1599 and as @selfissued
>             <https://twitter.com/selfissued>.
>
>
>
>             _______________________________________________
>
>             Openid-specs-ab mailing list
>
>             Openid-specs-ab at lists.openid.net
>             <mailto:Openid-specs-ab at lists.openid.net>
>
>             http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>         _______________________________________________
>         Openid-specs-ab mailing list
>         Openid-specs-ab at lists.openid.net
>         <mailto:Openid-specs-ab at lists.openid.net>
>         http://lists.openid.net/mailman/listinfo/openid-specs-ab
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161116/35639f4b/attachment.html>

More information about the Openid-specs-ab mailing list