[Openid-specs-ab] Issue #1024: Logout specs are inconsistent in defining a session (openid/connect)
tomcjones
issues-reply at bitbucket.org
Wed Apr 4 20:21:50 UTC 2018
New issue 1024: Logout specs are inconsistent in defining a session
https://bitbucket.org/openid/connect/issues/1024/logout-specs-are-inconsistent-in-defining
tomcjones:
the front channel logout spec defines: Session
Continuous period of time during which an End-User accesses a Relying Party relying on the Authentication of the End-User performed by the OpenID Provider.
But the spec also says: [The sid's] contents are opaque to the RP.
And this value seems to bear no clear relationship to what the user agent and the RP decide the session should be. The sid is just a value (claim) from the OP that it regurgitates when it sends a logout.
More information about the Openid-specs-ab
mailing list