[Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

Mike Jones Michael.Jones at microsoft.com
Thu Jan 19 01:23:48 UTC 2017


This was done in the latest edit, which is available at http://openid.bitbucket.org/openid-connect-backchannel-1_0.html.

                                                                -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones via Openid-specs-ab
Sent: Wednesday, November 16, 2016 12:29 AM
To: Torsten Lodderstedt; Thomas Broyer; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

I will plan to remove this in the next version unless objections are raised.  We should also add this as a discussion topic for the next Connect call.

                                                       -- Mike

From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
Sent: Wednesday, November 16, 2016 11:47 AM
To: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>; Thomas Broyer <t.broyer at ltgt.net<mailto:t.broyer at ltgt.net>>; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

Hi all,

any development regarding this topic? I still consider this requirement is not needed.

best regards,
Torsten.
Am 27.08.2016 um 02:06 schrieb Mike Jones:
I’m sympathetic to removing it but I’d like to first understand, if possible, why we included the constraint in the first place.  (Thomas may be right that it was copied from the front-channel logout spec, but there may still have been reasons for doing so.)  John?  Anyone else?

                                                       -- Mike

From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
Sent: Friday, August 26, 2016 2:58 AM
To: Thomas Broyer <t.broyer at ltgt.net><mailto:t.broyer at ltgt.net>; Mike Jones <Michael.Jones at microsoft.com><mailto:Michael.Jones at microsoft.com>; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

I suggest to remove this constraint from the spec.
Am 25.08.2016 um 16:30 schrieb Thomas Broyer:
May I suggest a copy-pasta from the frontchannel spec? (where it makes sense to follow the Web Origin restrictions, in case the frontchannel_logout_uri uses localStorage/sessionStorage or similar; and it's stricter than "cookie domains" so it works for cookies too).

BTW, that makes for a good reminder of why a spec should explain the "why" of its constraints, and not just "do this", "don't do that".

On Thu, Aug 25, 2016 at 3:43 PM Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
John, do you remember the rationale for the URL restrictions?  I know that we talked about this as the spec was being written ~1.5 years ago but I don’t remember the reasons off the top of my head.

                                                       -- Mike

From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>]
Sent: Thursday, August 25, 2016 4:56 AM
To: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs

Hi Mike,

section 2.2 states "The domain, port, and scheme of this URL MUST be the same as that of a registered Redirection URI value."

What's the rational for limiting the logout URL that way?

best regards,
Torsten.
Am 24.08.2016 um 03:44 schrieb Mike Jones via Openid-specs-ab:
Session ID definitions in the OpenID Connect front-channel and back-channel logout specs have been aligned so that the Session ID definition is now the same in both specs.  The Session ID is scoped to the Issuer in both specs now (whereas it was previously global in scope in the front-channel spec).  This means that the issuer value now needs to be supplied whenever the Session ID is.  This doesn’t change the simple (no-parameter) front-channel logout messages.  The back-channel specification is now also aligned with the ID Event Token specification.

The new specification versions are:

•       http://openid.net/specs/openid-connect-frontchannel-1_0-01.htmlhttp://openid.net/specs/openid-connect-backchannel-1_0-03.html

                                                       -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1599 and as @selfissued<https://twitter.com/selfissued>.



_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170119/93809c82/attachment-0001.html>


More information about the Openid-specs-ab mailing list