[Openid-specs-ab] Back-Channel Logout Token Proposal

Mike Jones Michael.Jones at microsoft.com
Thu Apr 7 22:03:42 UTC 2016

I’ll note that the “events” syntax below is based on Phil Hunt’s ID Events proposal, which William has been working on with him.  See the id-event mailing list for more details.  The announcement of the id-event mailing list is at http://www.ietf.org/mail-archive/web/ietf-announce/current/msg14839.html.

                                                          -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of William Denniss
Sent: Thursday, April 7, 2016 6:46 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Back-Channel Logout Token Proposal

I had a discussion with Mike, John and Nat about event JWT formats at IETF95, specifically as they relate to the Back-Channel Logout spec.

Here is an example of what the Back-Channel Logout Token could look like with an extensible event treatment:

      "iss": "https://server.example.com",
      "aud": "s6BhdRkqt3",
      "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
      "sub": "248289761001",
      "iat": 1458668180,
      "exp": 1458668580,
      "events": [
      "https://specs.openid.net/logout": {
          "sid": "08a5019c-17e1-4977-8f42-65a12843ea02"

The proposed change is replacing the "logout_only" claim in the current draft<http://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken> with an "events" claim, a list of event type URI references. Each of these event type URIs is also a claim of its own, containing the event-specific attributes. The Back-Channel Logout spec would register just 1 event type: "https://specs.openid.net/logout", and the "sid" attribute would move to the logout attribute group.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160407/6c4f4b94/attachment.html>

More information about the Openid-specs-ab mailing list