[Openid-specs-ab] First full HTML-based logout spec published

Mike Jones Michael.Jones at microsoft.com
Mon Mar 9 23:51:25 UTC 2015


Thanks for pointing out the typos, Thomas.  I was writing that text apparently too quickly.  I’ll correct it!

You’re right that Session Management is about state change but the primary state change reacted to by the RP is logout.  That’s why the next-to-last paragraph in the RP iframe section at http://openid.net/specs/openid-connect-session-1_0.html#RPiframe says:
When the RP detects a session state change, it SHOULD first try a prompt=none request within an iframe to obtain a new ID Token and session state, sending the old ID Token as the id_token_hint. If the RP receives an ID token for the same End-User, it SHOULD simply update the value of the session state. If it doesn't receive an ID token or receives an ID token for another End-User, then it needs to handle this case as a logout for the original End-User.

Both specs can do either RP- or OP-initiated logout.  (The RP-initiated logout is the same in both.)  In one, the OP communicates the logout message with a GET (an HTTP action) and in the other with a postMessage (an HTML action).  That’s why we chose the name – because there’s some differentiation based on the two mechanisms.

The problem with the “browser-based logout” name is that the Session Management spec also facilitates browser-based logout.  We were trying for a name that differentiates the two specs.

We should probably continue talking about the name.  Let’s add it as a topic to the Thursday working group call.  Thomas – you’re free to join it.  Join at https://www3.gotomeeting.com/join/181372694 or +1 (646) 982-0002, access code 181-372-694 or see https://global.gotomeeting.com/public/prelogin.html#meetings/181372694/numbersdisplay for more phone numbers.  The call is at 7am US Pacific Time which would be 15:00 CET this week.

                                                            Cheers,
                                                            -- Mike

From: Thomas Broyer [mailto:t.broyer at gmail.com]
Sent: Monday, March 09, 2015 4:11 PM
To: Mike Jones; mail at alfred-albrecht.net; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] First full HTML-based logout spec published

Session Management is not about "logout", more about "state change" to trigger a re-auth and possibly get an error that will trigger a "logout at the RP" (or to put it differently, "end of session")
The section about logout in Session Management is RP-Initiated logout at the OP, whereas this spec is OP-Initiated logout (end of session) at the RPs.
So "HTML-Based Logout" (as you mistyped almost everywhere: here, on your blog, on twitter, on the openid.net<http://openid.net> web pages) would be much better than "HTTP-Based Logout" IMO (what part of OIDC is not HTTP to begin with?), or maybe "browser-based logout"? Or how about "OP-Initiated distributed logout", or something about "notifying RPs of logout at the OP".

On Mon, Mar 9, 2015 at 6:15 PM Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
The title is currently "OpenID Connect HTTP-Based Logout 1.0".  It's HTTP, because it's HTTP methods such as GET that trigger the logouts.  If anything, the Session Management spec is really the one that's HTML-based logout, because it's using HTML5 postMessage calls to do trigger the logouts.  (We'd discussed that on the Thursday working group call, in fact.)

People are encouraged to keep thinking about the naming.  The current name is the best that the working group had come up with, to date, but a more compelling name would of course be great.

                                -- Mike

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of mail at alfred-albrecht.net<mailto:mail at alfred-albrecht.net>
Sent: Saturday, March 07, 2015 12:32 AM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] First full HTML-based logout spec published

Would it make sense to rename the spec to "HTML-based logout"? Or do you plan to define more logout techniques?

Furthermore it seems that logout_supported is now http_logout_supported.
Maybe a typo.

--
Alfred

Am 06.03.2015 um 08:25 schrieb Mike Jones:
> The first full version of the HTML-based logout spec is now published
> at http://openid.net/specs/openid-connect-logout-1_0.html.  It's also
> listed on the Connect page at http://openid.net/connect/, the working
> group repository at http://openid.bitbucket.org/, and the working
> group page at http://openid.net/wg/connect/.
>
>
>
> Semantic changes based on feedback since the 24-Feb-15 version are:
>
> *        Removed the "iss" query parameter.
>
> *        Added an entropy requirement for "sid" values.
>
> *        Renamed "logout_supported" to "html_logout_supported".
>
>
>
>                                                             -- Mike
>
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150309/f1c9a4cc/attachment-0001.html>


More information about the Openid-specs-ab mailing list