[Openid-specs-ab] Issue #1000: Logout Token has wrong mandatory field (sub vs. jti) (openid/connect)

Phil Hunt issues-reply at bitbucket.org
Thu Aug 18 14:52:14 UTC 2016

New issue 1000: Logout Token has wrong mandatory field (sub vs. jti)

Phil Hunt:

The logout token currently requires sub. If sub is the only value provided, it will require stateful lookup to find out what ID Tokens are active which may not be possible or very expensive. 

Concerns with the current draft:
* sub based logout will have the effect of logging out all sessions on all devices/browsers associated with the user and is likely not expected.
* since the logout is not session or JTI based, it will cause timing difficulties for the user that logs back in again or is forced to re-authenticate since a logout token might arrive after the user has established a new session.
* the token may need to convey different types:  universal, session/jti, device, application
* the construction of the event will make it inconsistent with other id-tokens (in terms of the IETF proposal) which cannot use OP "sub" as their value - or worse, that other event types will start using sub as a URI to describe things other than user identifiers.
* using sub means that only the issuer of an ID Token can do a logout - which is not an appropriate limitation in a distributed deployment architecture.  Validation of the event can be done by agreement of who acceptable issuers are as part of the subscription process.

Would prefer "jti" as the single mandatory value since that is all that is needed to cancel a session represented by an ID_Token.

More information about the Openid-specs-ab mailing list