[Openid-specs-ab] OpenID Connect Logout using HTTP GET
ve7jtb at ve7jtb.com
Sat Feb 21 01:20:47 UTC 2015
Probably safer to include an issuer , though with any reasonable amount of entropy sid would be unique for that browser.
Remember it doesn't need to be unique across all users in the front channel as the RP also has its session.
I would put the sid in a JWT except that size probably impacts the number of calls you can get done before the user closes the page.
Sent from my iPhone
> On Feb 20, 2015, at 10:10 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> It never seems to fail – you send something out then you immediately realize what’s wrong with it. ;-) In this case, I realized that the “sid” (Session ID) isn’t sufficient, in general, for the RP to identify the session that the logout request pertains to, since the “sid” is issuer-specific (just like “sub” is). The RP also needs to know the issuer. The most straightforward way to provide this is probably also having an “iss=issuer” query parameter for the logout request to the RP, in addition to the “sid=sessionID” query parameter.
> -- Mike
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
> Sent: Friday, February 20, 2015 4:37 PM
> To: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET
> A third iteration of the proposed OpenID Connect spec on logout using HTTP GET is attached. (It’s now a two-pager.) This incorporates the results of the useful discussion on Thursday’s call. Keep those cards and letters coming!
> Changes were:
> · Replaced the optional id_token parameter with an optional sid (Session ID) parameter.
> · Enabled the use of iframes with nested images or iframes to achieve downstream logouts.
> -- Mike
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab