[Openid-specs-ab] Unifying the Front-Channel and Back-Channel Logout Session ID semantics
Michael.Jones at microsoft.com
Thu Apr 7 22:20:16 UTC 2016
One of the things blocking us from taking the Front-Channel and Back-Channel logout specs to Implementer's Draft status is that they currently use the Session ID ("sid" claim) differently. The Front-Channel spec expects "sid" to be globally unique. The Back-Channel spec only expects it to be unique in the context of an IdP - just like "sub" is.
In talking with John and Nat and William at IETF 95, we discussed the possibility of unifying the definitions by changing the Front-Channel usage to match the Back-Channel usage. In the case when logging out only one session at an RP using the front-channel spec, this would necessitate adding an additional "iss" (issuer) parameter to the logout request, so that it would become:
In the simple case, one could still use only:
without any parameters if it is OK to log out all sessions at the RP.
Are people OK with this change? It could provide us a way forward to bring both the Front-Channel and Back-Channel specifications to Implementer's Draft status.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab