[Openid-specs-ab] Situation when sid is not in the Logout Token in Back Channel Logout

SureshAtt suresh.attanayake at gmail.com
Wed Jan 22 15:32:02 UTC 2020


Hello everyone,

I have a question regarding the following statement in the section 2.4
<https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken>
of the spec.

"A Logout Token MUST contain either a sub or a sid Claim, and MAY contain
both. If a sid Claim is not present, the intent is that all sessions at the
RP for the End-User identified by the iss and sub Claims be logged out. "

What is the intended situation when sid is not send in the Logout Token? is
it intended that OP logout only one session (identified by a sid), but it's
instructing it's RPs to kill all sessions for that user? Or is it intended
that OP kills all sessions for that user and instructing RPs to do the same?

Thanks & regards,
Suresh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200122/3f11ec26/attachment.html>


More information about the Openid-specs-ab mailing list