<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1256"><base href="x-msg://65/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Passing the id_token to the end session endpoint lets the IdP validate who is trying to end the session. That may be important in some cases. Sending the whole thing as long as it unencrypted is best.<div><br></div><div>John B.<br><div><div>On 2013-05-24, at 12:56 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div data-externalstyle="false" dir="ltr" style="font-family: Calibri, 'Segoe UI', Meiryo, 'Microsoft YaHei UI', 'Microsoft JhengHei UI', 'Malgun Gothic', 'Khmer UI', 'Nirmala UI', Tunga, 'Lao UI', Ebrima, sans-serif; font-size: 12pt; "><div>You have this deployed now, right? How is this working in your deployment?</div><div> </div><div>So you’re suggesting that we use the id_token_hint parameter and pass the ID Token to the end_session_endpoint? What do others think of that?</div><div> </div><div>-- Mike</div><div data-signatureblock="true"> </div><div style="padding-top: 5px; border-top-color: rgb(229, 229, 229); border-top-width: 1px; border-top-style: solid; "><font face="Calibri, 'Segoe UI', Meiryo, 'Microsoft YaHei UI', 'Microsoft JhengHei UI', 'Malgun Gothic', 'Khmer UI', 'Nirmala UI', Tunga, 'Lao UI', Ebrima, sans-serif" style="line-height: 15pt; letter-spacing: 0.02em; font-family: Calibri, 'Segoe UI', Meiryo, 'Microsoft YaHei UI', 'Microsoft JhengHei UI', 'Malgun Gothic', 'Khmer UI', 'Nirmala UI', Tunga, 'Lao UI', Ebrima, sans-serif; font-size: 11pt; "><b>From:</b> Breno de Medeiros<br><b>Sent:</b> ýThursdayý, ýMayý ý23ý, ý2013 ý8ý:ý23ý ýPM<br><b>To:</b> Mike Jones<br><b>Cc:</b> Naveen Agarwal, <a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a></font></div><div> </div>I think we should use the same approach as in the immediate flow,<br>i.e., provide a hint about the intended user. In fact I had suggested<br>the entire id_token be supplied to the OP.<br><br>On Thu, May 23, 2013 at 6:48 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:<br>> Hi Breno and Naveen,<br>><br>><br>><br>> (1) Assume that two users (Alice and Bob) have sessions from the same RP<br>> logged into to the same OP. Bob decides to log out. Per the session<br>> management spec, Bob is logged out of the RP locally and then the RP<br>> redirects to the OP’s end_session_endpoint. Does the OP also log Alice out<br>> when Bob consents the logout action or just Bob? If Alice is not logged<br>> out, how does the OP know which user to log out? Through Bob’s cookie? (I<br>> think that this is the case, but wanted to verify it.)<br>><br>><br>><br>> At a minimum, we need to say what is expected to happen in this case in the<br>> spec. It wasn’t clear to some developers reading it recently.<br>><br>><br>><br>> (2) In a related question, should we be passing an id_token as a parameter<br>> to the logout URL so that the OP knows which session to log out? Or is this<br>> already known, per the answer to (1)? Would adding this parameter enable<br>> additional kinds of attacks?<br>><br>><br>><br>> Thanks,<br>><br>> -- Mike<br>><br>><br><br><br><br>--<span class="Apple-converted-space"> </span><br>--Breno<br></div>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs-ab</div></blockquote></div><br></div></body></html>