[Openid-specs-ab] Back-Channel Logout Token Proposal

Anthony Nadalin tonynad at microsoft.com
Sat Apr 9 22:10:28 UTC 2016


Worried about

1.      Timestamps

2.      Event versioning

3.      Schema for the actual event

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of William Denniss
Sent: Friday, April 8, 2016 8:11 AM
To: Mike Jones <Michael.Jones at microsoft.com>
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Back-Channel Logout Token Proposal

Thanks for pointing this out Mike, that's correct.

Thinking a little more about this, we probably keep the session-id claim ("sid") as a standard JWT claim, as it is useful in many places (e.g. ID Tokens), so perhaps a better logout token format would be:

{
  "iss": "https://server.example.com<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fserver.example.com&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aUQzmwc6oZB9Prj%2b3uGevJHxpLAyruxvsI17RCuOViw%3d>",
  "aud": "s6BhdRkqt3",
  "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
  "sub": "248289761001",
  "iat": 1458668180,
  "exp": 1458668580,
  "events": [
    "https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>"
  ],
  "sid": "08a5019c-17e1-4977-8f42-65a12843ea02"
}

If we had additional standard logout-specific attributes we could put them in the "https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>" claim as per my previous example, but for simple events like this, that attribute dictionary may not be needed.

Effectivly the delta would then just be replacing "logout_only":"true", with "events": [
    "https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>"
  ],


On Thu, Apr 7, 2016 at 7:03 PM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:

I’ll note that the “events” syntax below is based on Phil Hunt’s ID Events proposal, which William has been working on with him.  See the id-event mailing list for more details.  The announcement of the id-event mailing list is at http://www.ietf.org/mail-archive/web/ietf-announce/current/msg14839.html<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2fietf-announce%2fcurrent%2fmsg14839.html&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=KxLkDmjsLgMc6u3lPoOiAPv9KZrOkwCymWQ4PLoQ6oc%3d>.



                                                          -- Mike



From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of William Denniss
Sent: Thursday, April 7, 2016 6:46 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] Back-Channel Logout Token Proposal



I had a discussion with Mike, John and Nat about event JWT formats at IETF95, specifically as they relate to the Back-Channel Logout spec.



Here is an example of what the Back-Channel Logout Token could look like with an extensible event treatment:



  {

      "iss": "https://server.example.com<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fserver.example.com&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aUQzmwc6oZB9Prj%2b3uGevJHxpLAyruxvsI17RCuOViw%3d>",

      "aud": "s6BhdRkqt3",

      "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",

      "sub": "248289761001",

      "iat": 1458668180,

      "exp": 1458668580,

      "events": [

          "https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>"

      ],

      "https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>": {

          "sid": "08a5019c-17e1-4977-8f42-65a12843ea02"

      }

  }



The proposed change is replacing the "logout_only" claim in the current draft<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fopenid.net%2fspecs%2fopenid-connect-backchannel-1_0.html%23LogoutToken&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gt5SQ0QUDgvHS8FNda%2fa036Z4fLrN12pQ8ntuTXFXh4%3d> with an "events" claim, a list of event type URI references. Each of these event type URIs is also a claim of its own, containing the event-specific attributes. The Back-Channel Logout spec would register just 1 event type: "https://specs.openid.net/logout<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fspecs.openid.net%2flogout&data=01%7c01%7ctonynad%40microsoft.com%7ccf1f679a591c4627f17a08d35fbffebf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DXNkm7Q2%2fg9AnUgTWa9xLCpiXEiNW9G8%2baxsLWG1I2I%3d>", and the "sid" attribute would move to the logout attribute group.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160409/4a319a93/attachment-0001.html>


More information about the Openid-specs-ab mailing list