<div dir="ltr">Where would such text go? Core errata? Or?<br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 24, 2016 at 11:53 AM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<p class="MsoNormal">Suggested text capturing these points would be great.</p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span></p>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:bcampbell@pingidentity.com" target="_blank">Brian Campbell</a><br>
<b>Sent: </b>Wednesday, August 24, 2016 12:39 PM<br>
<b>To: </b><a href="mailto:t.broyer@ltgt.net" target="_blank">Thomas Broyer</a><br>
<b>Cc: </b><a href="mailto:Michael.Jones@microsoft.com" target="_blank">Mike Jones</a>; <a href="mailto:phil.hunt@oracle.com" target="_blank">
Phil Hunt (IDM)</a>; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a></p><div><div class="h5"><br>
<b>Subject: </b>Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs</div></div><p></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span></p>
</div><div><div class="h5">
<div>
<div dir="ltr">
<div>
<div>
<div>I would say yes, Thomas, but I think the answer will depend on who you ask and when.
<br>
<br>
</div>
Typically, in my own experience anyway, the SSO token (like the id token) has a relatively short expiration time and is consumed and validated by the client/RP once and then that client sets up its own session or security context with its own lifetime.
<br>
<br>
</div>
But I think some have used or want to use the id token directly as the session token at the client/RP. And doing so might then rely on the exp in the id token as the session expiration, which presumably would want a larger window.
<br>
<br>
</div>
<div>I don't think the spec(s) explicitly require one approach or the other. And, as such, I don't think any of the logout stuff can assume one or the other.
<br>
</div>
<br>
<div>
<div>
<div><br>
<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 24, 2016 at 10:19 AM, Thomas Broyer via Openid-specs-ab
<span dir="ltr"><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Aren't ID Tokens supposed to have a short expiration time? (I asked twice already over the last 2 years and never got an answer, maybe this time?)</div>
<div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Aug 24, 2016 at 6:05 PM Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">
<div>
<p class="MsoNormal">I found your original logic to be sound. The ID Token could be reused with id_token_hint until it expires. Communicating the matching expiration time in the logout made sense to me – particularly in the no Session ID case, as John points
out.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">– Mike</p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"> </span></p>
<div style="border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in">
<p class="MsoNormal" style="border:medium none;padding:0in"><b>From: </b><a href="mailto:phil.hunt@oracle.com" target="_blank">Phil Hunt (IDM)</a><br>
<b>Sent: </b>Wednesday, August 24, 2016 11:45 AM<br>
<b>To: </b><a href="mailto:phil.hunt@oracle.com" target="_blank">Phil Hunt (IDM)</a><br>
<b>Cc: </b><a href="mailto:Michael.Jones@microsoft.com" target="_blank">Mike Jones</a>;
<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.n<wbr>et</a></p>
</div>
</div>
</div>
<div dir="auto">
<div>
<div style="border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in">
<p class="MsoNormal" style="border:medium none;padding:0in"><br>
<b>Subject: </b>Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs</p>
</div>
</div>
</div>
<div dir="auto">
<div>
<div>Scratch that. Was thinking oauth resource and tokens. </div>
<div><br>
</div>
<div>Not sure the same would exist here. </div>
<div><br>
Phil</div>
<div><br>
On Aug 24, 2016, at 8:17 AM, Phil Hunt (IDM) via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div>It may be useful to include the original session expiry time or make the exp match the original id token. If the service isn't tracking state of sessions it needs to know for how much longer an id token might show up in order to keep its revocation list
managed over time. <br>
<br>
Phil</div>
<div><br>
On Aug 24, 2016, at 5:58 AM, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(0,32,96)">Good catch, Filip. I’d replaced “exp” (expiration time) with “iat” (issued at) to align it with the ID Events spec
<a href="https://tools.ietf.org/html/draft-hunt-idevent-token-03" target="_blank">
https://tools.ietf.org/html/dr<wbr>aft-hunt-idevent-token-03</a>. But I’d also wanted to ask the working group – do we want to retain an explicit expiration time in the logout token?</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(0,32,96)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(0,32,96)"> <wbr> -- Mike</span></p>
<p class="MsoNormal"><a name="m_-8902454702970477306_m_-340934913959585311_m_-6451222161882914121_m_1139175348912087870_m_-1734851180359783533__MailEndCompose"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(0,32,96)"> </span></a></p>
<span></span>
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif"> Filip [<a href="mailto:panva.ip@gmail.com" target="_blank">mailto:panva.ip@gmail.com</a>]
<br>
<b>Sent:</b> Wednesday, August 24, 2016 1:24 AM<br>
<b>To:</b> Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>><br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.n<wbr>et</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs</span></p>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">Hello,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">reviewing the changes i noticed in Section 2.4 of Backchannel draft 03 the 'exp' claim got removed from Logout Token claims, however section 4 still recomends OPs to use short expiration times for their Logout Tokens. It is not clear enough
if 'exp' should be present or not.</p>
</div>
<div>
<p class="MsoNormal"><br clear="all">
</p>
<div>
<div>
<p class="MsoNormal">Best Regards,<br>
<b>Filip Skokan</b></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On Wed, Aug 24, 2016 at 3:44 AM, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>> wrote:</p>
<blockquote style="border-width:medium medium medium 1pt;border-style:none none none solid;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Session ID definitions in the OpenID Connect front-channel and back-channel logout specs have been aligned so that the Session ID definition is now the same in both specs. The Session ID is scoped to the Issuer in both specs now (whereas
it was previously global in scope in the front-channel spec). This means that the issuer value now needs to be supplied whenever the Session ID is. This doesn’t change the simple (no-parameter) front-channel logout messages. The back-channel specification
is now also aligned with the ID Event Token specification.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The new specification versions are:</p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7pt"> </span>
<a href="http://openid.net/specs/openid-connect-frontchannel-1_0-01.html" target="_blank">http://openid.net/specs/openid<wbr>-connect-frontchannel-1_0-01.h<wbr>tml</a></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7pt"> </span>
<a href="http://openid.net/specs/openid-connect-backchannel-1_0-03.html" target="_blank">http://openid.net/specs/openid<wbr>-connect-backchannel-1_0-03.ht<wbr>ml</a></p>
<p class="MsoNormal"><span style="color:rgb(136,136,136)"> </span></p>
<p class="MsoNormal"><span style="color:rgb(136,136,136)"> <wbr> -- Mike</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">P.S. This notice was also posted at <a href="http://self-issued.info/?p=1599" target="_blank">
http://self-issued.info/?p=159<wbr>9</a> and as <a href="https://twitter.com/selfissued" target="_blank">
@selfissued</a>.</p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12pt"><br>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a></p>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>______________________________<wbr>_________________</span><br>
<span>Openid-specs-ab mailing list</span><br>
<span><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a></span><br>
<span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
</div>
</blockquote>
<blockquote type="cite">
<div><span>______________________________<wbr>_________________</span><br>
<span>Openid-specs-ab mailing list</span><br>
<span><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a></span><br>
<span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
</div>
</div>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div></div>
</blockquote></div><br></div></div>