<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I don’t actualy think we need a signed token in the front channel.<div class=""><br class=""></div><div class="">I am talking about using a signed token in the back channel, but that is quite different, as all of the session information needs to be derived from the token as the RP has no session cooke.</div><div class=""><br class=""></div><div class="">In the front channel there are two issues.</div><div class=""><br class=""></div><div class="">1 what account to sign out if there is more than one logged in from the IdP</div><div class="">2 is this from the IdP or a cross site request forgery.</div><div class=""><br class=""></div><div class="">1 could be solved by including the subject or a session identifier.</div><div class="">2 The sid alone should be sufficient to stop a XSRF unless the id_token has leaked.</div><div class=""><br class=""></div><div class="">If you send the sid then you probably don’t need to send the sub. (That is where I thought we were going)</div><div class=""><br class=""></div><div class="">I think trying to OAuth protect the clients endpoint with a bearer token might be an advanced option, but that would need to be in a query parameter to be sent from a image tag.</div><div class="">Is setting up a way for clients to provision a AS with a AT per subject worth while. If it is one AT for all subjects then it leaks right away and is no real good to prevent xsrf.</div><div class=""><br class=""></div><div class="">Modifying the authorization request to include a token is possible, but I am not sure how necessary.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 24, 2015, at 1:38 AM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" class="">torsten@lodderstedt.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=us-ascii" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> I don't understand why you want to invite a new token concept for the logout. First there was a sid. The sid alone is not enough (if the same value is used among RPs in the same session), therefore you need to introduce an audience and a digital signature. This is getting more complex with every iteration.<br class="">
<br class="">
From a conceptual perspective, the challenge we are facing is the OP wants to send a request to a protected resource (logout endpoint at the RP). Sounds familiar? Yes, because this is classic OAuth with the OP taking the role of the client. <br class="">
<br class="">
I would therefore suggest to let the RP register the token it wants to get its logout endpoint invoked with. One could also use RFC 6750 mechanisms (or even pop) to carry the token in the actual logout request. The advantage of this design: this token is opaque to the OP. There is no need to specify it. The token design and how to identify the respective session at the RP is at the RP's discretion. It could just be a reference to its session database. It also could be a JWT.<br class="">
<br class="">
kind regards,<br class="">
Torsten.<br class=""><br class=""><div class="gmail_quote">Am 24. Februar 2015 03:45:34 MEZ, schrieb John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" class="">ve7jtb@ve7jtb.com</a>>:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
My point was not that audience was not needed, but rather that it could be a different audience to differentiate between the login and sign out tokens.<div class="">That WAY the sign out tokens would not be accepted as login tokens. eg the logout_uri rather than the client_id as a posable example.<div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""><div class=""><div class=""><blockquote type="cite" class=""><div class="">On Feb 23, 2015, at 6:32 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" class="">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Spec call notes 23-Feb-15<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><div class=""> <br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Nat Sakimura<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Mike Jones<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Brian Campbell<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Edmund Jay<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">John Bradley<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in
0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><div class=""> <br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Agenda<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> Use of Pragma: no-cache in Form Post Response Mode<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> Logout<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> Certification<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri,
sans-serif;" class=""><div class=""> <br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Use of Pragma: no-cache in Form Post Response Mode<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> Brian believes the only change needed is to remove the "Pragma: no-cache"<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> He believes that "Cache-Control: no-store" also performs a "Cache-Control: no-cache"<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> Mike will confirm this<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> Then Mike will make the change and update the blog post<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> Later in the call, Brian pointed out that we should have normative text about not caching the result<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> He will propose a sentence to add<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><div class=""> <br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Logout<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> When using the Session ID on the front channel, you're only picking from among those that are live in the browser<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
An alternative to putting "sid" and "iss" as query parameters is to them in a JWT<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> But it should not be a legal ID Token, so perhaps shouldn't have a subject<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> John pointed out that we should at least consider whether an audience would be needed<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> John will be working on a back channel logout spec also using the Session ID<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> We should try to have these be as close to one another as reasonably possible<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> He's on his way to Barcelona for MWC, so this may not happen for a bit<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""> People agreed that the differentiation between image and iframe GETs must happen at registration time<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> The query parameters still need to be reviewed<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><div class=""> <br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Certification<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> Roland now has testing up on the Symantec
hosts<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> A team member of Roland's created an OP self-registration page at<span class="Apple-converted-space"> </span><a href="https://op.certification.openid.net:60000/" style="color: purple; text-decoration: underline;" class="">https://op.certification.openid.net:60000/</a><div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> When you select dynamic configuration, the answer to the first question is the issuer path (this isn't obvious)<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri,
sans-serif;" class=""> Mike will file some bugs on clarifying how the tool works<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> People doing testing should migrate over to the official server<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> This also means that Roland can now also put up the RP tests<div class=""><br class="webkit-block-placeholder"></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Breno should be getting back to us within a week or so on how long it will take them to create a conforming implementation<div class=""><br class="webkit-block-placeholder"></div></div></div><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Openid-specs-ab mailing list</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:Openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Openid-specs-ab@lists.openid.net</a><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color: purple; text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div></blockquote></div><br class=""></div></div></div><div style="margin-top: 2.5em; margin-bottom: 1em; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: rgb(0, 0, 0);" class=""><br class="webkit-block-placeholder"></div><pre class="k9mail"><hr class=""><br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class=""></pre></blockquote></div><br class="">
-- <br class="">
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.</div></div></blockquote></div><br class=""></div></body></html>