[Openid-specs-ab] OpenID Connect Logout using HTTP GET

Mike Jones Michael.Jones at microsoft.com
Tue Feb 24 21:49:53 UTC 2015


The fourth spec version is attached.  Changes were:

*         Added iss (Issuer) query parameter to disambiguate potential sid (Session ID) value conflicts between OPs.

*         Renamed metadata parameters that used to contain the string "sid".

                                                                -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Friday, February 20, 2015 5:11 PM
To: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET

It never seems to fail - you send something out then you immediately realize what's wrong with it. ;-)  In this case, I realized that the "sid" (Session ID) isn't sufficient, in general, for the RP to identify the session that the logout request pertains to, since the "sid" is issuer-specific (just like "sub" is).  The RP also needs to know the issuer.  The most straightforward way to provide this is probably also having an "iss=issuer" query parameter for the logout request to the RP, in addition to the "sid=sessionID" query parameter.

Comments?

                                                                -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Friday, February 20, 2015 4:37 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET

A third iteration of the proposed OpenID Connect spec on logout using HTTP GET is attached.  (It's now a two-pager.) This incorporates the results of the useful discussion on Thursday's call.  Keep those cards and letters coming!

Changes were:

*         Replaced the optional id_token parameter with an optional sid (Session ID) parameter.

*         Enabled the use of iframes with nested images or iframes to achieve downstream logouts.

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150224/44c88345/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenID Connect Logout using HTTP GET.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 22437 bytes
Desc: OpenID Connect Logout using HTTP GET.docx
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150224/44c88345/attachment-0001.docx>


More information about the Openid-specs-ab mailing list