[Openid-specs-ab] Back-Channel Logout Token Proposal

William Denniss wdenniss at google.com
Thu Apr 7 21:46:14 UTC 2016


I had a discussion with Mike, John and Nat about event JWT formats at
IETF95, specifically as they relate to the Back-Channel Logout spec.

Here is an example of what the Back-Channel Logout Token could look like
with an extensible event treatment:

  {
      "iss": "https://server.example.com",
      "aud": "s6BhdRkqt3",
      "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
      "sub": "248289761001",
      "iat": 1458668180,
      "exp": 1458668580,
      "events": [
          "https://specs.openid.net/logout"
      ],
      "https://specs.openid.net/logout": {
          "sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
      }
  }

The proposed change is replacing the "logout_only" claim in the current
draft
<http://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken> with
an "events" claim, a list of event type URI references. Each of these event
type URIs is also a claim of its own, containing the event-specific
attributes. The Back-Channel Logout spec would register just 1 event type: "
https://specs.openid.net/logout", and the "sid" attribute would move to the
logout attribute group.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160407/71ab5a70/attachment.html>


More information about the Openid-specs-ab mailing list