<font size=2 face="sans-serif">> </font><font size=2 color=#004080 face="Calibri">Your
example seems to indicate that JavaScript code in pages present in the
browser history doesn’t get to run unless the page is the displayed page.
Is that correct?</font>
<br>
<br><font size=2 face="sans-serif">I'm also not an expert, but that's my
understanding.<br>
</font>
<br><font size=2 face="sans-serif">> </font><font size=2 color=#004080 face="Calibri">Do
you have any sense why this issue also prompted discussions on non-opaque
access tokens and introspection?</font>
<br>
<br><font size=2 face="sans-serif">I don't. That's something that
George/Justin brought up. Went over my head.</font>
<table width=223 style="border-collapse:collapse;">
<tr height=8>
<td width=223 bgcolor=white style="border-style:solid;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 face="Verdana"><b><br>
<br>
<br>
Todd Lainhart<br>
Rational software<br>
IBM Corporation<br>
550 King Street, Littleton, MA 01460-1250</b></font><font size=1 face="Arial"><b><br>
1-978-899-4705<br>
2-276-4705 (T/L)<br>
lainhart@us.ibm.com</b></font></table>
<br>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">Mike Jones <Michael.Jones@microsoft.com></font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">Todd W Lainhart/Lexington/IBM@IBMUS,
</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Cc:
</font><font size=1 face="sans-serif">George Fletcher <gffletch@aol.com>,
Justin Richer <jricher@mitre.org>, "openid-specs-ab@lists.openid.net"
<openid-specs-ab@lists.openid.net>, "openid-specs-ab-bounces@lists.openid.net"
<openid-specs-ab-bounces@lists.openid.net>, Pedro Felix <pmhsfelix@gmail.com></font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">03/13/2014 03:26 PM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">RE: [Openid-specs-ab]
Session cleanup via back-channel</font>
<br>
<hr noshade>
<br>
<br>
<br><font size=2 color=#004080 face="Calibri">Thanks for the concrete example,
Todd. That’s useful. Your example seems to indicate that JavaScript
code in pages present in the browser history doesn’t get to run unless
the page is the displayed page. Is that correct? And is the
answer the same for all browsers or is it different for different browsers?
(I’m not an expert in browser implementation details, so I’m openly
asking this, hoping that someone on the thread does have this expertise.)</font>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 color=#004080 face="Calibri">Do you have any sense why
this issue also prompted discussions on non-opaque access tokens and introspection?</font>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 color=#004080 face="Calibri">
-- Mike</font>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 face="Tahoma"><b>From:</b> Todd W Lainhart [</font><a href=mailto:lainhart@us.ibm.com><font size=2 face="Tahoma">mailto:lainhart@us.ibm.com</font></a><font size=2 face="Tahoma">]
<b><br>
Sent:</b> Thursday, March 13, 2014 12:12 PM<b><br>
To:</b> Mike Jones<b><br>
Cc:</b> George Fletcher; Justin Richer; openid-specs-ab@lists.openid.net;
openid-specs-ab-bounces@lists.openid.net; Pedro Felix<b><br>
Subject:</b> Re: [Openid-specs-ab] Session cleanup via back-channel</font>
<br><font size=3 face="Times New Roman"> </font>
<br><font size=2 face="Arial">> </font><font size=2 color=#004080 face="Calibri"> Am
I correct or wrong that this is the same issue?</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Arial"><br>
It is the same issue. My sense at the time it was closed was that
folks on the call didn't want to hold up the specs for this, and so Nat
proposed the extension route, with the observation that the topic had been
raised before. I'm also recalling that maybe the Googlers had something
to say about this.</font><font size=3 face="Times New Roman"> <br>
</font><font size=2 face="Arial"><br>
> </font><font size=2 color=#004080 face="Calibri">is there a reason
that RPs can’t learn of the OP-initiated logout via the JavaScript session
state changed notification already in the spec?</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Arial"><br>
I'm not speaking for Pedro, but I'll give you an example (but real) scenario
that prompted #916. Browser is viewing the protected resources of
RP "A" (a session has already been started). Bob clicks
a link on the page which now shows the representation of a protected resource
from RP "B". Bob selects "logout", which directs
"B" to the end_session endpoint. Ideally, "A"
would get notified of the session end so that it can drop resources that
it was associating to Bob.</font><font size=3 face="Times New Roman"> </font>
<p>
<table width=224 style="border-collapse:collapse;">
<tr height=8>
<td width=222 bgcolor=white style="border-style:solid;border-color:#000000;border-width:1px 1px 1px 1px;padding:0px 0px;"><font size=1 face="Verdana"><b><br>
<br>
<br>
Todd Lainhart<br>
Rational software<br>
IBM Corporation<br>
550 King Street, Littleton, MA 01460-1250</b></font><font size=1 face="Arial"><b><br>
1-978-899-4705<br>
2-276-4705 (T/L)</b></font><font size=1 color=blue face="Arial"><b><u><br>
</u></b></font><a href=mailto:lainhart@us.ibm.com><font size=1 color=blue face="Arial"><b><u>lainhart@us.ibm.com</u></b></font></a></table>
<br><font size=3 face="Times New Roman"><br>
<br>
<br>
<br>
</font><font size=1 color=#5f5f5f face="Arial"><br>
From: </font><font size=1 face="Arial">Mike
Jones <</font><a href=mailto:Michael.Jones@microsoft.com><font size=1 color=blue face="Arial"><u>Michael.Jones@microsoft.com</u></font></a><font size=1 face="Arial">></font><font size=3 face="Times New Roman">
</font><font size=1 color=#5f5f5f face="Arial"><br>
To: </font><font size=1 face="Arial">George
Fletcher <</font><a href=mailto:gffletch@aol.com><font size=1 color=blue face="Arial"><u>gffletch@aol.com</u></font></a><font size=1 face="Arial">>,
Pedro Felix <</font><a href=mailto:pmhsfelix@gmail.com><font size=1 color=blue face="Arial"><u>pmhsfelix@gmail.com</u></font></a><font size=1 face="Arial">>,
Justin Richer <</font><a href=mailto:jricher@mitre.org><font size=1 color=blue face="Arial"><u>jricher@mitre.org</u></font></a><font size=1 face="Arial">>,
</font><font size=1 color=#5f5f5f face="Arial"><br>
Cc: </font><font size=1 face="Arial">"</font><a href="mailto:openid-specs-ab@lists.openid.net"><font size=1 color=blue face="Arial"><u>openid-specs-ab@lists.openid.net</u></font></a><font size=1 face="Arial">"
<</font><a href="mailto:openid-specs-ab@lists.openid.net"><font size=1 color=blue face="Arial"><u>openid-specs-ab@lists.openid.net</u></font></a><font size=1 face="Arial">></font><font size=3 face="Times New Roman">
</font><font size=1 color=#5f5f5f face="Arial"><br>
Date: </font><font size=1 face="Arial">03/13/2014
02:47 PM</font><font size=3 face="Times New Roman"> </font><font size=1 color=#5f5f5f face="Arial"><br>
Subject: </font><font size=1 face="Arial">Re:
[Openid-specs-ab] Session cleanup via back-channel</font><font size=3 face="Times New Roman">
</font><font size=1 color=#5f5f5f face="Arial"><br>
Sent by: </font><a href="mailto:openid-specs-ab-bounces@lists.openid.net"><font size=1 color=blue face="Arial"><u>openid-specs-ab-bounces@lists.openid.net</u></font></a><font size=3 face="Times New Roman">
</font>
<div align=center>
<hr noshade></div>
<br><font size=3 face="Times New Roman"><br>
<br>
</font><font size=2 color=#004080 face="Calibri"><br>
Maybe I’m confused, but this issue seems like a duplicate of </font><a href=https://bitbucket.org/openid/connect/issue/916><font size=2 color=blue face="Calibri"><u>https://bitbucket.org/openid/connect/issue/916</u></font></a><font size=2 color=#004080 face="Calibri">,
which we’d previously discussed and decided not to fix. Am I correct
or wrong that this is the same issue?</font><font size=3 face="Times New Roman">
</font><font size=2 color=#004080 face="Calibri"><br>
</font><font size=3 face="Times New Roman"> </font><font size=2 color=#004080 face="Calibri"><br>
Responding to Pedro’s point “</font><font size=3 face="Times New Roman">2)
The OP propagate this cleanup notification to the downstream RPs, also
via back-channel (a back-channel to front-channel is not possible)</font><font size=2 color=#004080 face="Calibri">”
– is there a reason that RPs can’t learn of the OP-initiated logout via
the JavaScript session state changed notification already in the spec?
I realize that requiring JavaScript might not be your preferred mechanism,
but we’ve also tried not to have multiple ways to do the same thing, unless
there’s a good reason to do so. I’m open-minded about this, but
would like to hear what the arguments for the additional mechanism are,
and if they’re different than those discussed with issue #916.</font><font size=3 face="Times New Roman">
</font><font size=2 color=#004080 face="Calibri"><br>
</font><font size=3 face="Times New Roman"> </font><font size=2 color=#004080 face="Calibri"><br>
I’m also confused about the talk of structured access tokens. How
do structured access tokens relate to logout? And why would we consider
changing access tokens from being opaque to structured? Requiring
specific structure would break many OAuth and OpenID Connect implementations.</font><font size=3 face="Times New Roman">
</font><font size=2 color=#004080 face="Calibri"><br>
</font><font size=3 face="Times New Roman"> </font><font size=2 color=#004080 face="Calibri"><br>
I’m also confused why introspection is being discussed again. We
deleted the Check ID Endpoint, which did introspection on ID Tokens in
May 2012 in response to developer feedback about not wanting to have to
support two ways of doing the same thing. See </font><a href=https://bitbucket.org/openid/connect/issue/570><font size=2 color=blue face="Calibri"><u>https://bitbucket.org/openid/connect/issue/570</u></font></a><font size=2 color=#004080 face="Calibri">.
Why is this being discussed again, now that the specs are final?</font><font size=3 face="Times New Roman">
</font><font size=2 color=#004080 face="Calibri"><br>
</font><font size=3 face="Times New Roman"> </font><font size=2 color=#004080 face="Calibri"><br>
I guess call me confused today…</font><font size=3 face="Times New Roman">
</font><font size=2 color=#004080 face="Calibri"><br>
</font><font size=3 face="Times New Roman"> </font><font size=2 color=#004080 face="Calibri"><br>
--
Mike</font><font size=3 face="Times New Roman"> </font><font size=2 color=#004080 face="Calibri"><br>
</font><font size=3 face="Times New Roman"> </font><font size=2 face="Tahoma"><b><br>
From:</b> </font><a href="mailto:openid-specs-ab-bounces@lists.openid.net"><font size=2 color=blue face="Tahoma"><u>openid-specs-ab-bounces@lists.openid.net</u></font></a><font size=2 face="Tahoma">
[</font><a href="mailto:openid-specs-ab-bounces@lists.openid.net"><font size=2 color=blue face="Tahoma"><u>mailto:openid-specs-ab-bounces@lists.openid.net</u></font></a><font size=2 face="Tahoma">]
<b>On Behalf Of </b>George Fletcher<b><br>
Sent:</b> Thursday, March 13, 2014 8:19 AM<b><br>
To:</b> Pedro Felix; Justin Richer<b><br>
Cc:</b> </font><a href="mailto:openid-specs-ab@lists.openid.net"><font size=2 color=blue face="Tahoma"><u>openid-specs-ab@lists.openid.net</u></font></a><font size=2 face="Tahoma"><b><br>
Subject:</b> Re: [Openid-specs-ab] Session cleanup via back-channel</font><font size=3 face="Times New Roman">
<br>
</font><font size=3 face="Arial"><br>
Hi Pedro,<br>
<br>
Sorry for confusing the thread. I was responding to Nat's point about structured
headers. It's not really relevant to the issue you are addressing. As for
requirements for the back-channel call, you can add a document on the wiki,
or file a new issue on the site as an enhancement for the working group
to address and then put in the ticket all the current requirements. Others
can then comment on the ticket and the working group can track it.<br>
<br>
Note, that for this back-channel capability to be relevant to an RP, the
RP must support the concept of "server side" sessions (or maintain
a "black list" of revoked sessions). This doesn't tend to be
capabilities that most RPs support.<br>
<br>
Thanks,<br>
George</font><font size=3 face="Times New Roman"> <br>
On 3/13/14 11:12 AM, Pedro Felix wrote: <br>
1) Since I'm rather new in this group, what would be the best way to continue
this discussion? In this email thread? By trying to produce a requirements
doc on the wiki? <br>
Most probably, I will be working on an implementation of this feature in
the near future. <br>
<br>
2) Picking up on Justin's reply: an approach would be to also use the "aud"
and the "sub" to identify the session to cleanup. I don't like
the idea of requiring a round-trip to the introspection endpoint in order
to check the token purpose. Makes sense? <br>
<br>
Thanks <br>
Pedro <br>
<br>
On Thu, Mar 13, 2014 at 2:12 PM, Justin Richer <</font><a href=mailto:jricher@mitre.org target=_blank><font size=3 color=blue face="Times New Roman"><u>jricher@mitre.org</u></font></a><font size=3 face="Times New Roman">>
wrote: <br>
A number of our apps use this combined approach -- the server sends out
a signed JWT that the client can check the "iss" field and signature,
then (if it cares to do so) the client does introspection with the server
at "iss" to see if the token's still valid and what it's good
for.</font><font size=3 color=#8f8f8f face="Times New Roman"><br>
<br>
-- Justin</font><font size=3 face="Times New Roman"> <br>
<br>
On 03/13/2014 09:48 AM, George Fletcher wrote: </font><font size=3 face="Arial"><br>
On the "structured token" side of things I remember having a
discussion about this at IIW (a few back) and I thought someone and written
something up. It was needed in a number of cases that were using the token
introspection endpoint as a way to identifier the authorization server
to send the token to for introspection. I can't find my notes on the conversation
but maybe someone else remembers?<br>
<br>
I think conceptually it was as simple as a non-signed JWT containing iss
and token fields. Obviously, the rest of JOSE could be applied for signed
or encrypted tokens.<br>
<br>
Thanks,<br>
George</font><font size=3 face="Times New Roman"> <br>
On 3/12/14 9:02 PM, n-sakimura wrote: <br>
Let's just write up requirements on the WG wiki (@bitbucket). <br>
Once we agree on the requirements, it should be straight forward to turn
it into a spec. <br>
<br>
On the side note, perhaps it is actually for OAuth WG, but it would be
nice to spec out the structured (access) token. it could be pseudo opaque
as well as long as you can find the authorization server from the token
but we at least need to be able to find out the iss. <br>
<br>
Nat <br>
<br>
(2014/03/13 3:58), John Bradley wrote: <br>
<br>
We have discussed creating a backchannel push method for the IdP to notify
the RP. <br>
<br>
So far noting is written up. I have a bad feeling that it might be
me that needs to create the first draft. <br>
<br>
John B. <br>
<br>
On Mar 12, 2014, at 3:54 PM, Pedro Felix </font><a href=mailto:pmhsfelix@gmail.com target=_blank><font size=3 color=blue face="Times New Roman"><u><pmhsfelix@gmail.com></u></font></a><font size=3 face="Times New Roman">
wrote: <br>
<br>
<br>
Hi, <br>
<br>
I've a scenario where a OIDC OP is acting as a bridge between upstream
IdPs using non-OIDC protocols (e.g Shibboleth) and downstream RPs using
OIDC. <br>
In this scenario I have the following requirements <br>
1) The upstream IdP notifies the OP of a session termination via
back-channel <br>
2) The OP propagate this cleanup notification to the downstream
RPs, also via back-channel (a back-channel to front-channel is not possible)
<br>
<br>
Unfortunately, the OIDC session management spec does not provide any way
to perform this back-channel cleanup, however I remember reading some meeting
notes about this possibility. <br>
<br>
Is there anything that can be shared? I would like to align our solution
with what is being developed by this working group. <br>
<br>
Thanks <br>
Pedro <br>
_______________________________________________ <br>
Openid-specs-ab mailing list </font><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href="mailto:Openid-specs-ab@lists.openid.net" target=_blank><font size=3 color=blue face="Times New Roman"><u>Openid-specs-ab@lists.openid.net</u></font></a><font size=3 face="Times New Roman">
</font><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target=_blank><font size=3 color=blue face="Times New Roman"><u>http://lists.openid.net/mailman/listinfo/openid-specs-ab</u></font></a><font size=3 face="Times New Roman">
<br>
<br>
<br>
<br>
_______________________________________________ <br>
Openid-specs-ab mailing list </font><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href="mailto:Openid-specs-ab@lists.openid.net" target=_blank><font size=3 color=blue face="Times New Roman"><u>Openid-specs-ab@lists.openid.net</u></font></a><font size=3 face="Times New Roman">
</font><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target=_blank><font size=3 color=blue face="Times New Roman"><u>http://lists.openid.net/mailman/listinfo/openid-specs-ab</u></font></a><font size=3 face="Times New Roman">
<br>
<br>
<br>
-- </font><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href=http://connect.me/gffletch target=_blank><img src=cid:_4_0D27C6280D2787AC006D3D8085257C9A alt="George Fletcher"></a><font size=3 face="Times New Roman"><br>
<br>
</font><font size=2 face="Courier New"><br>
_______________________________________________</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
Openid-specs-ab mailing list</font><font size=3 face="Times New Roman">
</font><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href="mailto:Openid-specs-ab@lists.openid.net" target=_blank><font size=2 color=blue face="Courier New"><u>Openid-specs-ab@lists.openid.net</u></font></a><font size=3 face="Times New Roman">
</font><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target=_blank><font size=2 color=blue face="Courier New"><u>http://lists.openid.net/mailman/listinfo/openid-specs-ab</u></font></a><font size=3 face="Times New Roman">
<br>
<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list</font><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href="mailto:Openid-specs-ab@lists.openid.net"><font size=3 color=blue face="Times New Roman"><u>Openid-specs-ab@lists.openid.net</u></font></a><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target=_blank><font size=3 color=blue face="Times New Roman"><u>http://lists.openid.net/mailman/listinfo/openid-specs-ab</u></font></a><font size=3 face="Times New Roman">
<br>
<br>
<br>
-- </font><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href=http://connect.me/gffletch><img src=cid:_4_0D27D6440D2787AC006D3D8085257C9A alt="George Fletcher"></a><font size=2 face="Courier New">_______________________________________________<br>
Openid-specs-ab mailing list</font><font size=2 color=blue face="Courier New"><u><br>
</u></font><a href="mailto:Openid-specs-ab@lists.openid.net"><font size=2 color=blue face="Courier New"><u>Openid-specs-ab@lists.openid.net</u></font></a><font size=3 color=blue face="Times New Roman"><u><br>
</u></font><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><font size=2 color=blue face="Courier New"><u>http://lists.openid.net/mailman/listinfo/openid-specs-ab</u></font></a>
<br>