[Openid-specs-ab] Backchannel Logout & SET

Torsten Lodderstedt torsten at lodderstedt.net
Wed Nov 16 10:05:20 UTC 2016 

thanks for the clarification, Mike.

Am 16.11.2016 um 19:04 schrieb Mike Jones:
>
> The “sid” claim is defined at 
> http://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout. 
> This definition is referenced from 
> http://openid.net/specs/openid-connect-backchannel-1_0.html.
>
> By design, the SET spec leaves it up to the individual security event 
> definition what claims are required to be present in the event, both 
> as top-level claims and as claims in the event-specific data 
> structure.  (This is very parallel to how the JWT spec, by design 
> doesn’t mandate **any** particular claims in a conforming JWT.  This 
> flexibility has facilitated adoption of JWTs for very different use 
> cases.)
>
> Being SET-compliant is defined at 
> https://tools.ietf.org/html/draft-hunt-idevent-token-06#section-2.
>
> Thanks for thinking about and reviewing all this, Torsten.
>
> -- Mike
>
> *From:*Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
> *Sent:* Wednesday, November 16, 2016 6:54 PM
> *To:* Mike Jones <Michael.Jones at microsoft.com>; Phil Hunt 
> <phil.hunt at oracle.com>
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Backchannel Logout & SET
>
> Hi Mike,
>
> where is the sid claim defined? And what is the meaing of SET compliant?
>
> best regards,
> Torsten.
>
> Am 16.11.2016 um 17:25 schrieb Mike Jones:
>
>     “sid” is no more event-specific than “iss” and “sub” are.  All of
>     these are defined as top-level JWT claims across the Connect spec
>     family.  This is been extensively discussed on working group calls
>     and on the list.  The conclusion has always been to keep the
>     logout token claims usage parallel to that in the ID Token. 
>     Unnecessary differences tend to be counter-productive.
>
>     -- Mike
>
>     *From:*Openid-specs-ab
>     [mailto:openid-specs-ab-bounces at lists.openid.net] *On Behalf Of
>     *Phil Hunt via Openid-specs-ab
>     *Sent:* Wednesday, November 16, 2016 3:19 PM
>     *To:* Torsten Lodderstedt <torsten at lodderstedt.net>
>     <mailto:torsten at lodderstedt.net>
>     *Cc:* openid-specs-ab at lists.openid.net
>     <mailto:openid-specs-ab at lists.openid.net>
>     *Subject:* Re: [Openid-specs-ab] Backchannel Logout & SET
>
>     +1…. but we might want to hold off till I rev the SET draft based
>     on today’s proposed format change proposed by Justin on the
>     idevents mailing list.
>
>     I’ll try to get that published as quick as I can.
>
>     Phil
>
>     @independentid
>
>     www.independentid.com <http://www.independentid.com>
>
>     phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
>
>         On Nov 16, 2016, at 11:56 AM, Torsten Lodderstedt via
>         Openid-specs-ab <openid-specs-ab at lists.openid.net
>         <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
>         Hi all,
>
>         I wondering about the consequences of the following statement:
>         "NOTE: The Logout Token is compatible with Security Event
>         Token (SET) [I‑D.hunt‑idevent‑token] draft -03."
>
>         I think "sid" is an event-specific attribute and if I
>         understand SET correctly, it therefore needs to go in the
>         additional event data underneath an element
>         "http://schemas.openid.net/event/backchannel-logout".
>
>         I think the example
>
>         {
>           "iss": "https://server.example.com",
>           "sub": "248289761001",
>           "aud": "s6BhdRkqt3",
>           "iat": 1471566154,
>           "jti": "bWJq",
>           "sid": "08a5019c-17e1-4977-8f42-65a12843ea02",
>           "events": [
>         "http://schemas.openid.net/event/backchannel-logout" ]
>          }
>
>         should modified to look as follows
>
>         {
>           "iss": "https://server.example.com",
>           "sub": "248289761001",
>           "aud": "s6BhdRkqt3",
>           "iat": 1471566154,
>           "jti": "bWJq",
>           "events": [
>         "http://schemas.openid.net/event/backchannel-logout" ]
>           "http://schemas.openid.net/event/backchannel-logout":{
>              "sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
>           }
>          }
>
>         What do you think?
>
>         best regards,
>         Torsten.
>         _______________________________________________
>         Openid-specs-ab mailing list
>         Openid-specs-ab at lists.openid.net
>         <mailto:Openid-specs-ab at lists.openid.net>
>         http://lists.openid.net/mailman/listinfo/openid-specs-ab
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161116/0b418707/attachment.html>

More information about the Openid-specs-ab mailing list