<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I suggest to remove this constraint from the spec.<br>
<br>
<div class="moz-cite-prefix">Am 25.08.2016 um 16:30 schrieb Thomas
Broyer:<br>
</div>
<blockquote
cite="mid:CAEayHENDSJHyEhspsC1dCH_2HVE1PvCWA8dXxOAn_Mn=vSxbkw@mail.gmail.com"
type="cite">
<div dir="ltr">May I suggest a copy-pasta from the frontchannel
spec? (where it makes sense to follow the Web Origin
restrictions, in case the frontchannel_logout_uri uses
localStorage/sessionStorage or similar; and it's stricter than
"cookie domains" so it works for cookies too).
<div><br>
</div>
<div>BTW, that makes for a good reminder of why a spec should
explain the "why" of its constraints, and not just "do this",
"don't do that".</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Aug 25, 2016 at 3:43 PM Mike Jones via
Openid-specs-ab <<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" link="#0563C1" vlink="#954F72"
lang="EN-US">
<div>
<p class="MsoNormal"><span style="color:#002060">John, do
you remember the rationale for the URL restrictions?
I know that we talked about this as the spec was being
written ~1.5 years ago but I don’t remember the
reasons off the top of my head.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">
-- Mike</span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="m_8880273005057838509__MailEndCompose"><span
style="color:#002060"> </span></a></p>
<span></span>
<div>
<div style="border:none;border-top:solid #e1e1e1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> Torsten Lodderstedt
[mailto:<a moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net"
target="_blank">torsten@lodderstedt.net</a>]
<br>
<b>Sent:</b> Thursday, August 25, 2016 4:56 AM<br>
<b>To:</b> Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a></a>>;
<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Session ID
semantics aligned across OpenID Connect
front-channel and back-channel logout specs</span></p>
</div>
</div>
</div>
</div>
<div bgcolor="white" link="#0563C1" vlink="#954F72"
lang="EN-US">
<div>
<p class="MsoNormal"> </p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Mike,<br>
<br>
section 2.2 states "The domain, port, and scheme of this
URL MUST be the same as that of a registered Redirection
URI value."<br>
<br>
What's the rational for limiting the logout URL that
way?<br>
<br>
best regards,<br>
Torsten.<span style="font-size:12.0pt"></span></p>
<div>
<p class="MsoNormal">Am 24.08.2016 um 03:44 schrieb Mike
Jones via Openid-specs-ab:</p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Session ID definitions in the
OpenID Connect front-channel and back-channel logout
specs have been aligned so that the Session ID
definition is now the same in both specs. The Session
ID is scoped to the Issuer in both specs now (whereas
it was previously global in scope in the front-channel
spec). This means that the issuer value now needs to
be supplied whenever the Session ID is. This doesn’t
change the simple (no-parameter) front-channel logout
messages. The back-channel specification is now also
aligned with the ID Event Token specification.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The new specification versions are:</p>
<p><span style="font-family:Symbol"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-frontchannel-1_0-01.html"
target="_blank">http://openid.net/specs/openid-connect-frontchannel-1_0-01.html</a></p>
<p><span style="font-family:Symbol"><span>·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-backchannel-1_0-03.html"
target="_blank">http://openid.net/specs/openid-connect-backchannel-1_0-03.html</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">
-- Mike</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">P.S. This notice was also posted
at <a moz-do-not-send="true"
href="http://self-issued.info/?p=1599"
target="_blank">
http://self-issued.info/?p=1599</a> and as <a
moz-do-not-send="true"
href="https://twitter.com/selfissued"
target="_blank">
@selfissued</a>.</p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
<br>
</span></p>
<pre>_______________________________________________</pre>
<pre>Openid-specs-ab mailing list</pre>
<pre><a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a></pre>
<pre><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"> </span></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>