[Openid-specs-ab] Front-Channel Logout 1.0 implementation / front+back question
Vladimir Dzhuvinov
vladimir at connect2id.com
Fri Jan 19 11:17:09 UTC 2018
On 17/01/18 11:59, Filip Skokan via Openid-specs-ab wrote:
> I have a question about both Front and Back-Channel logouts. When triggered
> as part of RP-Initiated Logout, if due to a user prompt only the specific
> "visited RP" session gets dropped and not a full logout, should the
> front/back channel features be triggered for this one RP (the one that
> initiated the logout) or not?
Interesting question. The RP is normally only concerned about the
sign-in state of users in relation to itself. Change of state in
relation to other RPs should be of no concern, and if such information
is somehow leaked, that might also become a privacy issue.
My suggestion is to stick to the assumed contract between RP and OP. If
a user gets effectively logged out for the concerned RP, regardless of
how that came about, always notify the RP.
Vladimir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180119/2550ba17/attachment.p7s>
More information about the Openid-specs-ab
mailing list