[Openid-specs-ab] OpenID Connect Logout using HTTP GET

Brian Campbell bcampbell at pingidentity.com
Wed Feb 25 17:39:06 UTC 2015


Sorry, took me a while to get to looking at this (even at 2 pages).

In general this looks pretty good and isn't too far off from the
implementation we did. Ours is img/get based and has no sid or equivalent.
But it's pretty close otherwise.  A few comments and questions follow...

"Several OpenID Connect implementers have requested a front channel logout
mechanism that doesn’t use JavaScript. " -> it's not the use of JavaScript,
per se, but rather the nature of how JavaScript is used. The session
management spec pretty much requires that an RP have Connect aware
JavaScript on every page, which is a non-starter for many scenarios that
involve low-touch or no-touch integration with existing applications.

RPs/Clients can have multiple redirect_uris and, if they have different
domains, it can be problematic for a front-channel logout mechanism that's
relying on cookies when only one logout_uri is allowed. We allowed for
multiple logout uris in our implementation to account for this. I can't
remember if we just hit them all or try and chose from among them based on
the redirect_uris used in the corresponding SSOs. I think the former. I
don't know if that's something that a logout spec should account for but
it's a sitation that can fall out of multiple redirect_uris.

If no "post_logout_redirect_uri" is provided to the "end_session_endpoint",
is it expected that the OP keeps the user post logout (rather than sending
them back to the RP)?  I kind of assume so but it's not practically clear
(to me anyway) in this doc or in Session Management. FWIW, the
implementation we did always keeps the user at the OP after logout.

"STS" is a bit of an overloaded term that means different things to
different people/groups/companies. In a real spec its should be defined
clearly or avoided.

It'd be helpful to bring the definition of sid towards the beginning.
Currently sid is talked about throughout the document but not defined until
towards the end.

That's eveything that jumped out at me (for now anyway).



On Tue, Feb 24, 2015 at 2:49 PM, Mike Jones <Michael.Jones at microsoft.com>
wrote:

>  The fourth spec version is attached.  Changes were:
>
> ·         Added iss (Issuer) query parameter to disambiguate potential sid
> (Session ID) value conflicts between OPs.
>
> ·         Renamed metadata parameters that used to contain the string “sid
> ”.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] *On
> Behalf Of *Mike Jones
> *Sent:* Friday, February 20, 2015 5:11 PM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET
>
>
>
> It never seems to fail – you send something out then you immediately
> realize what’s wrong with it. ;-)  In this case, I realized that the “sid”
> (Session ID) isn’t sufficient, in general, for the RP to identify the
> session that the logout request pertains to, since the “sid” is
> issuer-specific (just like “sub” is).  The RP also needs to know the
> issuer.  The most straightforward way to provide this is probably also
> having an “iss=*issuer*” query parameter for the logout request to the
> RP, in addition to the “sid=*sessionID*” query parameter.
>
>
>
> Comments?
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net
> <openid-specs-ab-bounces at lists.openid.net>] *On Behalf Of *Mike Jones
> *Sent:* Friday, February 20, 2015 4:37 PM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET
>
>
>
> A third iteration of the proposed OpenID Connect spec on logout using HTTP
> GET is attached.  (It’s now a two-pager.) This incorporates the results of
> the useful discussion on Thursday’s call.  Keep those cards and letters
> coming!
>
>
>
> Changes were:
>
> ·         Replaced the optional id_token parameter with an optional sid
> (Session ID) parameter.
>
> ·         Enabled the use of iframes with nested images or iframes to
> achieve downstream logouts.
>
>
>
>                                                             -- Mike
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150225/cdd30e97/attachment.html>


More information about the Openid-specs-ab mailing list