[Openid-specs-ab] Backchannel Logout & SET

Mike Jones Michael.Jones at microsoft.com
Wed Nov 16 08:25:57 UTC 2016 

“sid” is no more event-specific than “iss” and “sub” are.  All of these are defined as top-level JWT claims across the Connect spec family.  This is been extensively discussed on working group calls and on the list.  The conclusion has always been to keep the logout token claims usage parallel to that in the ID Token.  Unnecessary differences tend to be counter-productive.

                                                       -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Phil Hunt via Openid-specs-ab
Sent: Wednesday, November 16, 2016 3:19 PM
To: Torsten Lodderstedt <torsten at lodderstedt.net>
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Backchannel Logout & SET

+1…. but we might want to hold off till I rev the SET draft based on today’s proposed format change proposed by Justin on the idevents mailing list.

I’ll try to get that published as quick as I can.

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>




On Nov 16, 2016, at 11:56 AM, Torsten Lodderstedt via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

Hi all,

I wondering about the consequences of the following statement: "NOTE: The Logout Token is compatible with Security Event Token (SET) [I‑D.hunt‑idevent‑token] draft -03."

I think "sid" is an event-specific attribute and if I understand SET correctly, it therefore needs to go in the additional event data underneath an element "http://schemas.openid.net/event/backchannel-logout".

I think the example

{
  "iss": "https://server.example.com",
  "sub": "248289761001",
  "aud": "s6BhdRkqt3",
  "iat": 1471566154,
  "jti": "bWJq",
  "sid": "08a5019c-17e1-4977-8f42-65a12843ea02",
  "events": [ "http://schemas.openid.net/event/backchannel-logout" ]
 }

should modified to look as follows

{
  "iss": "https://server.example.com",
  "sub": "248289761001",
  "aud": "s6BhdRkqt3",
  "iat": 1471566154,
  "jti": "bWJq",
  "events": [ "http://schemas.openid.net/event/backchannel-logout" ]
  "http://schemas.openid.net/event/backchannel-logout":{
     "sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
  }
 }

What do you think?

best regards,
Torsten.
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161116/58c688b3/attachment.html>

More information about the Openid-specs-ab mailing list