[Openid-specs-ab] Front-Channel Logout 1.0 implementation / front+back question
Mike Jones
Michael.Jones at microsoft.com
Fri Jan 19 12:42:16 UTC 2018
I agree with Vladimir's interpretation and advice.
-- Mike
-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir Dzhuvinov via Openid-specs-ab
Sent: Friday, January 19, 2018 3:17 AM
To: openid-specs-ab at lists.openid.net; panva.ip at gmail.com
Subject: Re: [Openid-specs-ab] Front-Channel Logout 1.0 implementation / front+back question
On 17/01/18 11:59, Filip Skokan via Openid-specs-ab wrote:
> I have a question about both Front and Back-Channel logouts. When
> triggered as part of RP-Initiated Logout, if due to a user prompt only
> the specific "visited RP" session gets dropped and not a full logout,
> should the front/back channel features be triggered for this one RP
> (the one that initiated the logout) or not?
Interesting question. The RP is normally only concerned about the sign-in state of users in relation to itself. Change of state in relation to other RPs should be of no concern, and if such information is somehow leaked, that might also become a privacy issue.
My suggestion is to stick to the assumed contract between RP and OP. If a user gets effectively logged out for the concerned RP, regardless of how that came about, always notify the RP.
Vladimir
More information about the Openid-specs-ab
mailing list