[Openid-specs-ab] Back Channel logout.

William Denniss wdenniss at google.com
Fri Apr 8 15:15:27 UTC 2016


Adding openid-specs-ab at lists.openid.net on this discussion about the
sid/sub values with regards to logout tokens.

On Fri, Apr 8, 2016 at 12:07 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> In a diffrent conversation we were discussing ephemeral subjects.
>
> Thinking about it sid is effectively the ephemeral subject value.
>

If the original id token asserts the sid as the sub, then that makes sense.

Perhaps the two claims could be equal for those cases.


> A note to AS that SID values should not collide with pairwise or public
> subjects may be useful/
>

If we keep sub as a MUST, then this would have to be the case, but probably
worth pointing out again.

On Fri, Apr 8, 2016 at 12:11 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> Yes we can move the discussion to the list.
>
> My concern is that we have sub as required.
>
> Optional is fine as long as clients understand they cannot scope sid by
> subject to look it up.
>
> John
>
> On Apr 8, 2016, at 12:06 PM, William Denniss <wdenniss at google.com> wrote:
>
> While per the JWT spec, 'sub' is designed to be used in this manner and it
> conceptually makes sense for the sub to be the session-id, I think it will
> create implementation complexity for two reasons:
>
> 1) Connect defines sub as "Subject - Identifier for the End-User at the
> Issuer." which is really a more specific definition than JWT.
>
> I think it will be confusing in the Connect family of specs to use 'sub'
> to mean something other than  "user id" (be it global, pairwise, or
> anonymous).
>
> 2) Having some tokens with sub = userid, and sid = session id, and others
> with just sub is confusing.
>
> My preference would be to always send 'sid' in the same way, and make
> 'sub' OPTIONAL (as per JWT).
>
> btw. can we move discussion to the list?
>
>
> On Fri, Apr 8, 2016 at 11:45 AM, Brian Campbell <
> bcampbell at pingidentity.com> wrote:
>
>> Indeed.
>>
>> Without thinking too much about it, I'd want to lean on SID and have only
>> one identifier. One (of many) issues that SAML SLO had was a multitude of
>> ways to try and identify the subject and session or sessions, which
>> complicated the heck out of things and/or just didn't work.
>>
>> On Thu, Apr 7, 2016 at 7:32 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>
>>> Currently sub is always required.
>>>
>>> I can however see not providing sub or using SID as the sub if the
>>> message is only about the session and not the user.
>>>
>>> I can see some privacy use cases for not wanting to reveal the sub.
>>>
>>> I however understand that Clients might organize there tables by sub.
>>>
>>> This is something we should probably talk about.
>>>
>>> John B.
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160408/63e75c92/attachment.html>


More information about the Openid-specs-ab mailing list