
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>1. Re session: when we start talking session from op we are causing confusion. Is it the op session?</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">My worry is that if the relying party executes the logout and clears its own session it still needs to track the id token in case the id token reappears since while the token might be valid is revoked. Otherwise it might treat as a new login session. </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Likewise if a logout is followed immediately by a new login, we have to make sure the login is accepted. <br><br>Phil</div><div><br>On Aug 24, 2016, at 9:42 AM, John Bradley via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html charset=utf-8">Correct,  That is something that we might want to clarify.<div class=""><br class=""></div><div class="">Some people are interpreting the exp as the life time of the token and others are taking it as the lifetime of the session.</div><div class=""><br class=""></div><div style="orphans: 2; widows: 2;" class="">The spec states that for validating the id_token "<span style="font-family: verdana, charcoal, helvetica, arial, sans-serif; font-size: small; orphans: 2; widows: 2;" class="">The current time MUST be before the time represented by the </span><tt style="orphans: 2; widows: 2; color: rgb(0, 51, 102); font-family: 'Courier New', Courier, monospace;" class="">exp</tt><span style="font-family: verdana, charcoal, helvetica, arial, sans-serif; font-size: small; orphans: 2; widows: 2;" class=""> </span><span style="font-family: verdana, charcoal, helvetica, arial, sans-serif; font-size: small; orphans: 2; widows: 2;" class="">Claim (possibly allowing for some small leeway to account for clock skew).</span><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class="">”</font></div><div class=""><div style="orphans: 2; widows: 2;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class=""><br class=""></font></div><div style="orphans: 2; widows: 2;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class="">As a result the server may receive expired id_tokens as hints (The id_token is always going to be invalid as the audience is wrong that is why it is just a hint)</font></div><div style="orphans: 2; widows: 2;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class=""><br class=""></font></div><div style="orphans: 2; widows: 2;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class="">I think we did talk at one time about having a session duration like SAML, but didn’t as it is almost never honoured by SAML SP.</font></div><div style="orphans: 2; widows: 2;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class=""><br class=""></font></div><div style="orphans: 2; widows: 2;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class="">John B.</font></div><div><blockquote type="cite" class=""><div class="">On Aug 24, 2016, at 1:22 PM, Brian Campbell via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><br class="">I think we need to be careful with some of these assumptions. The exp on the ID Token doesn't correlate to the timeouts or expiration of the session the client establishes from the ID Token.  And there's no normative requirements about the exp in an id_token_hint. <br class=""></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Aug 24, 2016 at 9:49 AM, Mike Jones via Openid-specs-ab <span dir="ltr" class=""><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.net</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div dir="auto" class="">


<div class=""><p class="MsoNormal">I found your original logic to be sound.  The ID Token could be reused with id_token_hint until it expires. Communicating the matching expiration time in the logout made sense to me – particularly in the no Session ID case, as John points

 out.</p><div class=""> <br class="webkit-block-placeholder"></div><p class="MsoNormal">– Mike</p><div class=""><span style="font-size:12.0pt;font-family:"Times New Roman",serif" class=""> </span><br class="webkit-block-placeholder"></div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal" style="border:none;padding:0in"><b class="">From: </b><a href="mailto:phil.hunt@oracle.com" target="_blank" class="">Phil Hunt (IDM)</a><br class="">

<b class="">Sent: </b>Wednesday, August 24, 2016 11:45 AM<br class="">

<b class="">To: </b><a href="mailto:phil.hunt@oracle.com" target="_blank" class="">Phil Hunt (IDM)</a><br class="">

<b class="">Cc: </b><a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Mike Jones</a>; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">

openid-specs-ab@lists.openid.<wbr class="">net</a></p><div class=""><div class="h5"><br class="">

<b class="">Subject: </b>Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs</div></div><div class=""><br class="webkit-block-placeholder"></div>

</div><div class=""><span style="font-size:12.0pt;font-family:"Times New Roman",serif" class=""> </span><br class="webkit-block-placeholder"></div>

</div><div class=""><div class="h5">

<div class="">

<div class="">Scratch that. Was thinking oauth resource and tokens. </div>

<div class=""><br class="">

</div>

<div class="">Not sure the same would exist here. </div>

<div class=""><br class="">

Phil</div>

<div class=""><br class="">

On Aug 24, 2016, at 8:17 AM, Phil Hunt (IDM) via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.<wbr class="">net</a>> wrote:<br class="">

<br class="">

</div>

<blockquote type="cite" class="">

<div class="">

<div class="">It may be useful to include the original session expiry time or make the exp match the original id token. If the service isn't tracking state of sessions it needs to know for how much longer an id token might show up in order to keep its revocation list

 managed over time. <br class="">

<br class="">

Phil</div>

<div class=""><br class="">

On Aug 24, 2016, at 5:58 AM, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.<wbr class="">net</a>> wrote:<br class="">

<br class="">

</div>

<blockquote type="cite" class="">

<div class="">


<div class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060" class="">Good catch, Filip.  I’d replaced “exp” (expiration time) with “iat” (issued at) to align it with the ID Events spec

<a href="https://tools.ietf.org/html/draft-hunt-idevent-token-03" target="_blank" class="">https://tools.ietf.org/html/<wbr class="">draft-hunt-idevent-token-03</a>.  But I’d also wanted to ask the working group – do we want to retain an explicit expiration time in the logout token?</span></p><div class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060" class="">                              <wbr class="">                         -- Mike</span></p><p class="MsoNormal"><a name="m_5573658266056926539__MailEndCompose" class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060" class=""> </span></a></p>

<span class=""></span><p class="MsoNormal"><b class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> Filip [<a href="mailto:panva.ip@gmail.com" target="_blank" class="">mailto:panva.ip@gmail.com</a>]

<br class="">

<b class="">Sent:</b> Wednesday, August 24, 2016 1:24 AM<br class="">

<b class="">To:</b> Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>><br class="">

<b class="">Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.<wbr class="">net</a><br class="">

<b class="">Subject:</b> Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs</span></p><div class=""> <br class="webkit-block-placeholder"></div>

<div class="">

<div class=""><p class="MsoNormal">Hello,</p>

</div>

<div class=""><div class=""> <br class="webkit-block-placeholder"></div>

</div>

<div class=""><p class="MsoNormal">reviewing the changes i noticed in Section 2.4 of Backchannel draft 03 the 'exp' claim got removed from Logout Token claims, however section 4 still recomends OPs to use short expiration times for their Logout Tokens. It is not clear enough

 if 'exp' should be present or not.</p>

</div>

<div class=""><p class="MsoNormal"><br clear="all" class="">

</p>

<div class="">

<div class=""><p class="MsoNormal">Best Regards,<br class="">

<b class="">Filip Skokan</b></p>

</div>

</div><div class=""> <br class="webkit-block-placeholder"></div>

<div class=""><p class="MsoNormal">On Wed, Aug 24, 2016 at 3:44 AM, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.<wbr class="">net</a>> wrote:</p>

<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in" class="">

<div class="">

<div class=""><p class="MsoNormal">Session ID definitions in the OpenID Connect front-channel and back-channel logout specs have been aligned so that the Session ID definition is now the same in both specs.  The Session ID is scoped to the Issuer in both specs now

 (whereas it was previously global in scope in the front-channel spec).  This means that the issuer value now needs to be supplied whenever the Session ID is.  This doesn’t change the simple (no-parameter) front-channel logout messages.  The back-channel specification

 is now also aligned with the ID Event Token specification.</p><div class=""> <br class="webkit-block-placeholder"></div><p class="MsoNormal">The new specification versions are:</p><p class=""><span style="font-family:Symbol" class="">·</span><span style="font-size:7.0pt" class="">       </span>

<a href="http://openid.net/specs/openid-connect-frontchannel-1_0-01.html" target="_blank" class="">http://openid.net/specs/<wbr class="">openid-connect-frontchannel-1_<wbr class="">0-01.html</a></p><p class=""><span style="font-family:Symbol" class="">·</span><span style="font-size:7.0pt" class="">       </span>

<a href="http://openid.net/specs/openid-connect-backchannel-1_0-03.html" target="_blank" class="">http://openid.net/specs/<wbr class="">openid-connect-backchannel-1_<wbr class="">0-03.html</a></p><div class=""><span style="color:#888888" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span style="color:#888888" class="">                              <wbr class="">                         -- Mike</span></p><div class=""> <br class="webkit-block-placeholder"></div><p class="MsoNormal">P.S.  This notice was also posted at <a href="http://self-issued.info/?p=1599" target="_blank" class="">

http://self-issued.info/?p=<wbr class="">1599</a> and as <a href="https://twitter.com/selfissued" target="_blank" class="">

@selfissued</a>.</p>

</div>

</div><p class="MsoNormal" style="margin-bottom:12.0pt"><br class="">

______________________________<wbr class="">_________________<br class="">

Openid-specs-ab mailing list<br class="">

<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.<wbr class="">net</a><br class="">

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/<wbr class="">mailman/listinfo/openid-specs-<wbr class="">ab</a></p>

</blockquote>

</div><div class=""> <br class="webkit-block-placeholder"></div>

</div>

</div>

</div>

</div>

</blockquote>

<blockquote type="cite" class="">

<div class=""><span class="">______________________________<wbr class="">_________________</span><br class="">

<span class="">Openid-specs-ab mailing list</span><br class="">

<span class=""><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.<wbr class="">net</a></span><br class="">

<span class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/<wbr class="">mailman/listinfo/openid-specs-<wbr class="">ab</a></span><br class="">

</div>

</blockquote>

</div>

</blockquote>

<blockquote type="cite" class="">

<div class=""><span class="">______________________________<wbr class="">_________________</span><br class="">

<span class="">Openid-specs-ab mailing list</span><br class="">

<span class=""><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.<wbr class="">net</a></span><br class="">

<span class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/<wbr class="">mailman/listinfo/openid-specs-<wbr class="">ab</a></span><br class="">

</div>

</blockquote>

</div>

</div></div></div>


<br class="">______________________________<wbr class="">_________________<br class="">

Openid-specs-ab mailing list<br class="">

<a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.<wbr class="">net</a><br class="">

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank" class="">http://lists.openid.net/<wbr class="">mailman/listinfo/openid-specs-<wbr class="">ab</a><br class="">

<br class=""></blockquote></div><br class=""></div>

_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class=""></div></blockquote></div><br class=""></div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></body></html>