[Openid-specs-ab] Comments on OpenID Connect Front-Channel Logout

[Torsten Lodderstedt]

Hi all,

since we are in voting for Implementer’s draft on the session management/logout specs, I gave this spec another read and came up with the following comments:

Section 2:

"RPs supporting HTTP-based logout register a logout URI with the OP as part of their client registration. The domain, port, and scheme of this URL MUST be the same as that of a registered Redirection URI value.“

If the client is required to register a logout URI with the OP, why is this URI constrained to match parts of the redirect URI?

“The OP MAY add these query parameters …” - why isn’t this a MUST? Are you assuming not all OPs will be able to provide the RP with a session id?

I think it would improve readability to swap sections 2 and 3, e.g. the sid concept would be introduced before it is used in explaining the RP logout callback URL.

Section 4: I would suggest to just refer to the session management spec’s text on RP-initiated logout instead of partially replicating text. It typically causes lifecycle issues. Moreover, the reader anyway needs two switch over for all the details. 

kind regards,
Torsten.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3581 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170326/8ffdac97/attachment.p7s>