[Openid-specs-ab] Issue #842: Session 5.1 - Make post_logout_redirect_uri treatment more parallel to redirect_uri (openid/connect)

Nat Sakimura sakimura at gmail.com
Sat Jun 1 09:04:35 UTC 2013


Actually, all of what I filed are clarification or typo. They did not
cause any normative change. No change in programs it they were
compliant to start with we're necessary.

This issue however is a normative change so you have to change the program.

=nat via iPhone

Jun 1, 2013 2:06¡¢Mike Jones <Michael.Jones at microsoft.com> ¤Î¥á¥Ã¥»©`¥¸:

> I would not have proposed this if no one else had proposed changes to the possible Implementer's Draft versions posted yesterday, but given that Nat has "broken the glass", I believe we should do this change now.  It's painless now, but would be an incompatible change later.  And it's motivated by a real use case.
>
> I will make this change as part of the final edits unless I hear any objections today.
>
>                -- Mike
>
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Michael Jones
> Sent: Friday, May 31, 2013 10:03 AM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Issue #842: Session 5.1 - Make post_logout_redirect_uri treatment more parallel to redirect_uri (openid/connect)
>
> New issue 842: Session 5.1 - Make post_logout_redirect_uri treatment more parallel to redirect_uri https://bitbucket.org/openid/connect/issue/842/session-51-make-post_logout_redirect_uri
>
> Michael Jones:
>
> Currently, multiple redirect_uri values can be pre-registered, but only one post_logout_redirect_uri.  Also, currently the redirect_uri value to be used must be explicitly passed to the OP, but the OP is expected to implicitly look up the registered post_logout_redirect_uri value and use it.
>
> I am aware of a use case in which multiple post_logout_redirect_uri values are necessary.  The RP is willing to pass the value to be used as an explicit parameter.  I'll note that passing an explicit parameter would also be aligned with what WS-Federation does.
>
> I propose that we change the post_logout_redirect_uri behavior to be parallel with that of redirect_uri in the manner described above.  If a post_logout_redirect_uri is not passed by the RP to the OP at logout time, the OP would not perform any redirection, and would retain control of the browser session.
>
> Responsible: mbj
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list