<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">An updated version is attached. Changes were:<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:1.0in;text-indent:-1.0in">
16-Feb-15 Added an optional <span style="font-family:"Courier New"">id_token</span> parameter to the
<span style="font-family:"Courier New"">logout_uri</span> to authenticate requests and differentiate between sessions, plus related metadata values. Added that non-200 HTTP status codes can be used when the logout fails. Clarified when post-logout redirection
to an RP occurs.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I believe that this addresses the comments received to date.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Openid-specs-ab [mailto:openid-specs-ab-bounces@lists.openid.net] On Behalf Of Mike Jones<br>
Sent: Sunday, February 15, 2015 11:03 PM<br>
To: John Bradley; Torsten Lodderstedt<br>
Cc: openid-specs-ab@lists.openid.net<br>
Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I'm increasingly thinking that we should allow the OP to include the ID Token for the RP as a query parameter in the logout request. I'm thinking this for two reasons:<o:p></o:p></p>
<p class="MsoPlainText">1. It would validate to the RP that the logout request is legitimate.<o:p></o:p></p>
<p class="MsoPlainText">2. It would tell the RP which session to log out, should multiple users be logged in at the RP from the OP.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I don't think we should make including the ID Token required, since deployment circumstances will differ. In some cases, the extra validation is important. In others, it isn't.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">If we do this, in the Discovery and Recovery metadata, we should have the RP and the OP say whether the require and provide the ID Token value as part of the logout message to the RP.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> -- Mike<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<o:p></o:p></p>
<p class="MsoPlainText">From: John Bradley [<a href="mailto:ve7jtb@ve7jtb.com"><span style="color:windowtext;text-decoration:none">mailto:ve7jtb@ve7jtb.com</span></a>]
<o:p></o:p></p>
<p class="MsoPlainText">Sent: Sunday, February 15, 2015 11:34 AM<o:p></o:p></p>
<p class="MsoPlainText">To: Torsten Lodderstedt<o:p></o:p></p>
<p class="MsoPlainText">Cc: Thomas Broyer; Mike Jones; <a href="mailto:openid-specs-ab@lists.openid.net">
<span style="color:windowtext;text-decoration:none">openid-specs-ab@lists.openid.net</span></a><o:p></o:p></p>
<p class="MsoPlainText">Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Both<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">forcing a user to logout of a RP might also be used as part of a larger phishing attack, especially if the IdP returns the user to the bad guys landing page by redirecting to the post_logout_redirect_uri.<o:p></o:p></p>
<p class="MsoPlainText">That redirect URI needs to be registered but without authenticating the RP via having a id_token for the user Bad RP A could log the user out of all sessions and redirect the user to itself, without the user currently being logged in.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Without the id_token all the IdP can do is log the user out of all sessions.
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Though when we start talking about IdP session management things get a bit fuzzy, Many IdP will automatically log the user back in to a RP if they are still logged in to the IdP, the IdP may not have any real notion of state per RP
connection.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">John B.<o:p></o:p></p>
<p class="MsoPlainText">On Feb 15, 2015, at 1:29 PM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net"><span style="color:windowtext;text-decoration:none">torsten@lodderstedt.net</span></a>> wrote:<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> against the RP or the user?<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Am 15.02.2015 um 17:22 schrieb John Bradley:<o:p></o:p></p>
<p class="MsoPlainText">>> It might be used as a denial of service via xsrf.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">Openid-specs-ab mailing list<o:p></o:p></p>
<p class="MsoPlainText"><a href="mailto:Openid-specs-ab@lists.openid.net"><span style="color:windowtext;text-decoration:none">Openid-specs-ab@lists.openid.net</span></a><o:p></o:p></p>
<p class="MsoPlainText"><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><span style="color:windowtext;text-decoration:none">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></p>
</div>
</body>
</html>