<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoPlainText"><a href="http://openid.net/specs/openid-connect-logout-1_0-03.html">http://openid.net/specs/openid-connect-logout-1_0-03.html</a> addresses the issue raised by Jim as:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> Shouldn't the Session ID bind in the RP as well? If an OP were to use the same sid value across multiple RPs, it would be easy enough for a naughty RP to cause another RP2 to logout, with no way for RP2 to defend itself.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The Session ID Claim definition now includes:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN" style="font-family:"Verdana","sans-serif";color:black">sid (session ID)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span lang="EN" style="font-family:"Verdana","sans-serif";color:black">OPTIONAL. String identifier for a Session. This represents a Session of an OP
<span style="background:yellow;mso-highlight:yellow">at an RP</span> to a User Agent or device for a logged-in End-User.<o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> Thanks Jim!<o:p></o:p></p>
<p class="MsoPlainText"> -- Mike<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: John Bradley [mailto:ve7jtb@ve7jtb.com] <br>
Sent: Tuesday, August 04, 2015 5:24 AM<br>
To: Mike Jones<br>
Cc: Jim des Rivieres; openid-specs-ab@lists.openid.net<br>
Subject: Re: [Openid-specs-ab] First full HTML-based logout spec published</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The SID should probably use the same pairwise logic as the subject.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">If it is not a pairwise subject than making the SID pairwise is not adding anything.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">If the subject is pairwise then SID should be created using using the sector_identifier_uri if configured, otherwise the host component of the redirect_uri.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">John B.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> On Aug 3, 2015, at 10:32 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com"><span style="color:windowtext;text-decoration:none">Michael.Jones@microsoft.com</span></a>> wrote:<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Replies inline…<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> From: Openid-specs-ab [<a href="mailto:openid-specs-ab-bounces@lists.openid.net"><span style="color:windowtext;text-decoration:none">mailto:openid-specs-ab-bounces@lists.openid.net</span></a>] On Behalf Of Jim des Rivieres<o:p></o:p></p>
<p class="MsoPlainText">> Sent: Monday, March 16, 2015 8:34 AM<o:p></o:p></p>
<p class="MsoPlainText">> To: <a href="mailto:openid-specs-ab@lists.openid.net"><span style="color:windowtext;text-decoration:none">openid-specs-ab@lists.openid.net</span></a><o:p></o:p></p>
<p class="MsoPlainText">> Subject: Re: [Openid-specs-ab] First full HTML-based logout spec published<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Here are some comments on draft 00 of OpenID Connect HTTP-Based Logout 1.0.
<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> re: 2. Relying Party Logout Functionality <o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> > Upon receiving the GET, the RP clears state associated with the logged-in session, including any cookies, and then returns an image and a HTTP 200 status code.
<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> The RP's response also needs anti-caching headers (Cache-Control: no-store, Pragma: no-cache) to prevent the user agent from caching the response. Otherwise caching of one logout response could interfere with future logouts.
<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> The cache-control language was added at <a href="https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fopenid.bitbucket.org%2fopenid-connect-logout-1_0.html%23RPLogout.&data=01%7c01%7cMichael.Jones%40microsoft.com%7c4672c8a908354dafc41e08d29cc7a353%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=G%2fJHHUNU3X%2bp5IzRRCuDvFcrTyLXOO%2fRqSYkVBPOUqI%3d">
<span style="color:windowtext;text-decoration:none">https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fopenid.bitbucket.org%2fopenid-connect-logout-1_0.html%23RPLogout.&data=01%7c01%7cMichael.Jones%40microsoft.com%7c4672c8a908354dafc41e08d29cc7a353%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=G%2fJHHUNU3X%2bp5IzRRCuDvFcrTyLXOO%2fRqSYkVBPOUqI%3d</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> > If the RP supports OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration], it uses this metadata value to register the logout URL:
<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Regardless of whether the RP supports OpenID.Registration, the RP's registration with the OP needs to include the logout URL, logout_use_iframe and logout_session_required settings (when OP supports latter). This makes it awkward to
frame this section entirely in terms of OpenID.Registration. Since a parameter is passed to the logout URL, it might be clearer to call it the RP's Logout endpoint (cf. OAuth2 Redirection endpoint). Like other OAuth2/OIDC endpoint URIs, the spec should spell
out the restrictions on the endpoint URI; e.g., "The Logout endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3. The Logout endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per [RFC 6749] Appendix B) query component
([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The Logout endpoint URI MUST NOT include a fragment component."
<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> The logout URI syntax language was added at <a href="https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fopenid.bitbucket.org%2fopenid-connect-logout-1_0.html%23RPLogout.&data=01%7c01%7cMichael.Jones%40microsoft.com%7c4672c8a908354dafc41e08d29cc7a353%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=G%2fJHHUNU3X%2bp5IzRRCuDvFcrTyLXOO%2fRqSYkVBPOUqI%3d">
<span style="color:windowtext;text-decoration:none">https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fopenid.bitbucket.org%2fopenid-connect-logout-1_0.html%23RPLogout.&data=01%7c01%7cMichael.Jones%40microsoft.com%7c4672c8a908354dafc41e08d29cc7a353%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=G%2fJHHUNU3X%2bp5IzRRCuDvFcrTyLXOO%2fRqSYkVBPOUqI%3d</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> re: 3. OpenID Provider Logout Functionality <o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> > sid (Session ID) OPTIONAL. String identifier for a Session - a pairing of an OP to a User Agent or device for a logged-in End-User.
<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Shouldn't the Session ID bind in the RP as well? If an OP were to use the same sid value across multiple RPs, it would be easy enough for a naughty RP to cause another RP2 to logout, with no way for RP2 to defend itself.
<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> There had been some discussion of the scope of Session IDs in the working group that makes me think that sometimes the same ID would want to be used across RPs. But I may just be misremembering this. I’ll plan to have this discussed
during the next working group call.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Regards, <o:p></o:p></p>
<p class="MsoPlainText">> Jim<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> -- Mike<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> _______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">> Openid-specs-ab mailing list<o:p></o:p></p>
<p class="MsoPlainText">> <a href="mailto:Openid-specs-ab@lists.openid.net"><span style="color:windowtext;text-decoration:none">Openid-specs-ab@lists.openid.net</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <a href="https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=01%7c01%7cMichael.Jones%40microsoft.com%7c4672c8a908354dafc41e08d29cc7a353%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=GDdqFlWoNQvEu4%2bFTPvaETcRd4zKoBgr82qfVq%2fGgAw%3d">
<span style="color:windowtext;text-decoration:none">https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=01%7c01%7cMichael.Jones%40microsoft.com%7c4672c8a908354dafc41e08d29cc7a353%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=GDdqFlWoNQvEu4%2bFTPvaETcRd4zKoBgr82qfVq%2fGgAw%3d</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
</body>
</html>