[Openid-specs-ab] First full HTML-based logout spec published

Mike Jones Michael.Jones at microsoft.com
Mon Mar 16 23:27:20 UTC 2015

Thanks for the review, Jim.  Your comments all seem correct to me.  I'll plan to incorporate them in the next draft.

                                                                -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Jim des Rivieres
Sent: Monday, March 16, 2015 8:34 AM
To: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] First full HTML-based logout spec published

Here are some comments on draft 00 of OpenID Connect HTTP-Based Logout 1.0.

re: 2. Relying Party Logout Functionality

> Upon receiving the GET, the RP clears state associated with the logged-in session, including any cookies, and then returns an image and a HTTP 200 status code.

The RP's response also needs anti-caching headers (Cache-Control: no-store, Pragma: no-cache) to prevent the user agent from caching the response. Otherwise caching of one logout response could interfere with future logouts.

> If the RP supports OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration], it uses this metadata value to register the logout URL:

Regardless of whether the RP supports OpenID.Registration, the RP's registration with the OP needs to include the logout URL, logout_use_iframe and logout_session_required settings (when OP supports latter). This makes it awkward to frame this section entirely in terms of OpenID.Registration. Since a parameter is passed to the logout URL, it might be clearer to call it the RP's Logout endpoint (cf. OAuth2 Redirection endpoint). Like other OAuth2/OIDC endpoint URIs, the spec should spell out the restrictions on the endpoint URI; e.g., "The Logout endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3. The Logout endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per [RFC 6749] Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The Logout endpoint URI MUST NOT include a fragment component."

re: 3. OpenID Provider Logout Functionality

> sid (Session ID) OPTIONAL. String identifier for a Session - a pairing of an OP to a User Agent or device for a logged-in End-User.

Shouldn't the Session ID bind in the RP as well? If an OP were to use the same sid value across multiple RPs, it would be easy enough for a naughty RP to cause another RP2 to logout, with no way for RP2 to defend itself.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150316/ea48fe95/attachment-0001.html>

More information about the Openid-specs-ab mailing list