[Openid-specs-ab] Back-Channel Logout Token Proposal

William Denniss wdenniss at google.com
Fri Apr 8 15:10:30 UTC 2016


Thanks for pointing this out Mike, that's correct.

Thinking a little more about this, we probably keep the session-id claim
("sid") as a standard JWT claim, as it is useful in many places (e.g. ID
Tokens), so perhaps a better logout token format would be:

{
  "iss": "https://server.example.com",
  "aud": "s6BhdRkqt3",
  "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
  "sub": "248289761001",
  "iat": 1458668180,
  "exp": 1458668580,
  "events": [
    "https://specs.openid.net/logout"
  ],
  "sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
}

If we had additional standard logout-specific attributes we could put them
in the "https://specs.openid.net/logout" claim as per my previous example,
but for simple events like this, that attribute dictionary may not be
needed.

Effectivly the delta would then just be replacing "logout_only":"true",
with "events": [
    "https://specs.openid.net/logout"
  ],


On Thu, Apr 7, 2016 at 7:03 PM, Mike Jones <Michael.Jones at microsoft.com>
wrote:

> I’ll note that the “events” syntax below is based on Phil Hunt’s ID Events
> proposal, which William has been working on with him.  See the id-event
> mailing list for more details.  The announcement of the id-event mailing
> list is at
> http://www.ietf.org/mail-archive/web/ietf-announce/current/msg14839.html.
>
>
>
>                                                           -- Mike
>
>
>
> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] *On
> Behalf Of *William Denniss
> *Sent:* Thursday, April 7, 2016 6:46 PM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* [Openid-specs-ab] Back-Channel Logout Token Proposal
>
>
>
> I had a discussion with Mike, John and Nat about event JWT formats at
> IETF95, specifically as they relate to the Back-Channel Logout spec.
>
>
>
> Here is an example of what the Back-Channel Logout Token could look like
> with an extensible event treatment:
>
>
>
>   {
>
>       "iss": "https://server.example.com",
>
>       "aud": "s6BhdRkqt3",
>
>       "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
>
>       "sub": "248289761001",
>
>       "iat": 1458668180,
>
>       "exp": 1458668580,
>
>       "events": [
>
>           "https://specs.openid.net/logout"
>
>       ],
>
>       "https://specs.openid.net/logout": {
>
>           "sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
>
>       }
>
>   }
>
>
>
> The proposed change is replacing the "logout_only" claim in the current
> draft
> <http://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken> with
> an "events" claim, a list of event type URI references. Each of these event
> type URIs is also a claim of its own, containing the event-specific
> attributes. The Back-Channel Logout spec would register just 1 event type: "
> https://specs.openid.net/logout", and the "sid" attribute would move to
> the logout attribute group.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160408/5da6473f/attachment.html>


More information about the Openid-specs-ab mailing list