[Openid-specs-ab] Spec Call Notes 21-Jun-18
n-sakimura
n-sakimura at nri.co.jp
Mon Jun 25 05:05:08 UTC 2018
I guess making the requirements in the numbered list style like FAPI makes difference. It makes it much easier for the developers to check the compliance to the spec.
Nat Sakimura
このメールには、本来の宛先の方のみに限定された機密情報が含まれている場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、このメールを削除してくださいますようお願い申し上げます。
PLEASE READ:This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail.
________________________________
From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on behalf of George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net>
Sent: Friday, June 22, 2018 1:44:11 PM
To: Mike Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18
I reviewed the docs and there is discussion of this issue already present that I missed.
Section 5 (RP-Initiated Logout) from the Session Management spec RECOMMENDS use of the id_token_hint and ends the section with a statement that the OP should ask the user if they want to logout of the OP or not.
Section 8 (Security Considerations) from the Session Management spec calls out that "Logout requests without a valid 'id_token_hint' value are a potential means of denial of service; therefore, OPs may want to require explicit user confirmation before acting upon them."
Section 1 (Introduction) from the Front-Channel logout spec identifies that the spec reuses the RP-Initiated Logout functionality from the Session Management spec.
All the basis are covered, though it's easy to miss. I don't know if what we have is sufficient or we should add more text.
The only normative change we could make that might make things easier for RPs, now that session id is defined, would be to update Section 5 of the Session Management spec to allow for specification of the session-id instead of the id_token.
Thoughts?
Thanks,
George
On 6/21/18 10:48 AM, Mike Jones via Openid-specs-ab wrote:
Unauthenticated Logout Requests
������������� George will file an issue proposing Security Considerations language about denial of service attacks using front-channel logout
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180625/4e8212bd/attachment.html>
More information about the Openid-specs-ab
mailing list