<div dir="ltr"><div><div><div>Sorry, took me a while to get to looking at this (even at 2 pages). <br><br></div><div>In general this looks pretty good and isn't too far off from the implementation we did. Ours is img/get based and has no sid or equivalent. But it's pretty close otherwise. A few comments and questions follow...</div><div><br>"Several OpenID Connect implementers have requested a front channel
logout mechanism that doesn’t use JavaScript. " -> it's not the use
of JavaScript, per se, but rather the nature of how JavaScript is used.
The session management spec pretty much requires that an RP have Connect
aware JavaScript<span style="font-size:11pt;line-height:115%;font-family:Calibri">
on every page, which is a non-starter for many scenarios that involve
low-touch or no-touch integration with existing applications. </span><br><br><div>RPs/Clients can have multiple redirect_uris and, if
they have different domains, it can be problematic for a front-channel
logout mechanism that's relying on cookies when only one logout_uri is
allowed. We allowed for multiple logout uris in our implementation to
account for this. I can't remember if we just hit them all or try and
chose from among them based on the redirect_uris used in the corresponding SSOs. I think the former. I don't know if that's something that a logout spec should account for but it's a sitation that can fall out of multiple redirect_uris. </div><br></div><div>If no "post_logout_redirect_uri" is provided to the "end_session_endpoint", is it expected that the OP keeps the user post logout (rather than sending them back to the RP)? I kind of assume so but it's not practically clear (to me anyway) in this doc or in Session Management. FWIW, the implementation we did always keeps the user at the OP after logout. <br></div><div><span style="font-size:11pt;line-height:115%;font-family:Calibri"><br></span></div><span style="font-size:11pt;line-height:115%;font-family:Calibri">"STS" is a bit of an overloaded term that means different things to different people/groups/companies. In a real spec its should be defined clearly or avoided.<br><br></span></div><span style="font-size:11pt;line-height:115%;font-family:Calibri">It'd be helpful to bring the definition of sid towards the beginning. Currently sid is talked about throughout the document but not defined until towards the end.<br></span></div><span style="font-size:11pt;line-height:115%;font-family:Calibri"></span><div><div><span style="font-size:11pt;line-height:115%;font-family:Calibri"><br></span></div><div><span style="font-size:11pt;line-height:115%;font-family:Calibri">That's eveything that jumped out at me (for now anyway). <br></span></div><div><span style="font-size:11pt;line-height:115%;font-family:Calibri"><br><br></span></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 24, 2015 at 2:49 PM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="color:#1f497d">The fourth spec version is attached. Changes were:<u></u><u></u></span></p>
<p><u></u><span style="font-family:Symbol;color:#1f497d"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u>Added <span style="font-family:"Courier New"">iss</span> (Issuer) query parameter to disambiguate potential
<span style="font-family:"Courier New"">sid</span> (Session ID) value conflicts between OPs.
<span style="color:#1f497d"><u></u><u></u></span></p>
<p><u></u><span style="font-family:Symbol;color:#1f497d"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u>Renamed metadata parameters that used to contain the string “<span style="font-family:"Courier New"">sid</span>”.<span style="color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Openid-specs-ab [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Mike Jones<br>
<b>Sent:</b> Friday, February 20, 2015 5:11 PM<span class=""><br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET<u></u><u></u></span></span></p>
</div>
</div><span class="">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It never seems to fail – you send something out then you immediately realize what’s wrong with it. ;-) In this case, I realized that the “sid” (Session ID)
isn’t sufficient, in general, for the RP to identify the session that the logout request pertains to, since the “sid” is issuer-specific (just like “sub” is). The RP also needs to know the issuer. The most straightforward way to provide this is probably
also having an “iss=<i>issuer</i>” query parameter for the logout request to the RP, in addition to the “sid=<i>sessionID</i>” query parameter.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Comments?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Openid-specs-ab [<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Mike Jones<br>
<b>Sent:</b> Friday, February 20, 2015 4:37 PM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">A third iteration of the proposed OpenID Connect spec on logout using HTTP GET is attached. (It’s now a two-pager.) This incorporates the results of the useful discussion on Thursday’s call. Keep those cards and letters coming!<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Changes were:<u></u><u></u></p>
<p><u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u>Replaced the optional <span style="font-family:"Courier New"">
id_token</span> parameter with an optional <span style="font-family:"Courier New"">
sid</span> (Session ID) parameter.<u></u><u></u></p>
<p><u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u>Enabled the use of iframes with nested images or iframes to achieve downstream logouts.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> -- Mike<u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
</span></div>
</div>
<br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br></div>