[Openid-specs-ab] Backchannel Logout & SET
Mike Jones
Michael.Jones at microsoft.com
Wed Nov 16 10:04:28 UTC 2016
The “sid” claim is defined at http://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout. This definition is referenced from http://openid.net/specs/openid-connect-backchannel-1_0.html.
By design, the SET spec leaves it up to the individual security event definition what claims are required to be present in the event, both as top-level claims and as claims in the event-specific data structure. (This is very parallel to how the JWT spec, by design doesn’t mandate *any* particular claims in a conforming JWT. This flexibility has facilitated adoption of JWTs for very different use cases.)
Being SET-compliant is defined at https://tools.ietf.org/html/draft-hunt-idevent-token-06#section-2.
Thanks for thinking about and reviewing all this, Torsten.
-- Mike
From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
Sent: Wednesday, November 16, 2016 6:54 PM
To: Mike Jones <Michael.Jones at microsoft.com>; Phil Hunt <phil.hunt at oracle.com>
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Backchannel Logout & SET
Hi Mike,
where is the sid claim defined? And what is the meaing of SET compliant?
best regards,
Torsten.
Am 16.11.2016 um 17:25 schrieb Mike Jones:
“sid” is no more event-specific than “iss” and “sub” are. All of these are defined as top-level JWT claims across the Connect spec family. This is been extensively discussed on working group calls and on the list. The conclusion has always been to keep the logout token claims usage parallel to that in the ID Token. Unnecessary differences tend to be counter-productive.
-- Mike
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Phil Hunt via Openid-specs-ab
Sent: Wednesday, November 16, 2016 3:19 PM
To: Torsten Lodderstedt <torsten at lodderstedt.net><mailto:torsten at lodderstedt.net>
Cc: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Backchannel Logout & SET
+1…. but we might want to hold off till I rev the SET draft based on today’s proposed format change proposed by Justin on the idevents mailing list.
I’ll try to get that published as quick as I can.
Phil
@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>
On Nov 16, 2016, at 11:56 AM, Torsten Lodderstedt via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
Hi all,
I wondering about the consequences of the following statement: "NOTE: The Logout Token is compatible with Security Event Token (SET) [I‑D.hunt‑idevent‑token] draft -03."
I think "sid" is an event-specific attribute and if I understand SET correctly, it therefore needs to go in the additional event data underneath an element "http://schemas.openid.net/event/backchannel-logout".
I think the example
{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"iat": 1471566154,
"jti": "bWJq",
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02",
"events": [ "http://schemas.openid.net/event/backchannel-logout" ]
}
should modified to look as follows
{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"iat": 1471566154,
"jti": "bWJq",
"events": [ "http://schemas.openid.net/event/backchannel-logout" ]
"http://schemas.openid.net/event/backchannel-logout":{
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
}
}
What do you think?
best regards,
Torsten.
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161116/19f929dc/attachment.html>
More information about the Openid-specs-ab
mailing list