<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>+1 to this. Many systems I've deployed will parse and validate
the ID token then throw it out, using local session management
from that point forward.<br>
</p>
<p> -- Justin<br>
</p>
<br>
<div class="moz-cite-prefix">On 8/24/2016 12:38 PM, Brian Campbell
via Openid-specs-ab wrote:<br>
</div>
<blockquote
cite="mid:CA+k3eCSYt-hLjc+ta-tzzdNCYyoqoqBiPzcnYF1sdNtzL8JXPg@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr">
<div>
<div>
<div>I would say yes, Thomas, but I think the answer will
depend on who you ask and when. <br>
<br>
</div>
Typically, in my own experience anyway, the SSO token (like
the id token) has a relatively short expiration time and is
consumed and validated by the client/RP once and then that
client sets up its own session or security context with its
own lifetime. <br>
<br>
</div>
But I think some have used or want to use the id token
directly as the session token at the client/RP. And doing so
might then rely on the exp in the id token as the session
expiration, which presumably would want a larger window. <br>
<br>
</div>
<div>I don't think the spec(s) explicitly require one approach
or the other. And, as such, I don't think any of the logout
stuff can assume one or the other. <br>
</div>
<br>
<div>
<div>
<div><br>
<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 24, 2016 at 10:19
AM, Thomas Broyer via Openid-specs-ab <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Aren't ID Tokens supposed to have a
short expiration time? (I asked twice already over
the last 2 years and never got an answer, maybe
this time?)</div>
<div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Aug 24, 2016 at 6:05 PM
Mike Jones via Openid-specs-ab <<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="auto">
<div>
<p class="MsoNormal">I found your
original logic to be sound. The ID
Token could be reused with
id_token_hint until it expires.
Communicating the matching expiration
time in the logout made sense to me –
particularly in the no Session ID
case, as John points out.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">– Mike</p>
<p class="MsoNormal"><span
style="font-size:12pt;font-family:"Times
New Roman",serif"> </span></p>
<div style="border-width:1pt medium
medium;border-style:solid none
none;border-color:rgb(225,225,225)
-moz-use-text-color
-moz-use-text-color;padding:3pt 0in
0in">
<p class="MsoNormal"
style="border:medium
none;padding:0in"><b>From: </b><a
moz-do-not-send="true"
href="mailto:phil.hunt@oracle.com"
target="_blank">Phil Hunt (IDM)</a><br>
<b>Sent: </b>Wednesday, August 24,
2016 11:45 AM<br>
<b>To: </b><a
moz-do-not-send="true"
href="mailto:phil.hunt@oracle.com"
target="_blank">Phil Hunt (IDM)</a><br>
<b>Cc: </b><a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com"
target="_blank">Mike Jones</a>; <a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">
openid-specs-ab@lists.openid.n<wbr>et</a></p>
</div>
</div>
</div>
<div dir="auto">
<div>
<div style="border-width:1pt medium
medium;border-style:solid none
none;border-color:rgb(225,225,225)
-moz-use-text-color
-moz-use-text-color;padding:3pt 0in
0in">
<p class="MsoNormal"
style="border:medium
none;padding:0in"><br>
<b>Subject: </b>Re:
[Openid-specs-ab] Session ID
semantics aligned across OpenID
Connect front-channel and
back-channel logout specs</p>
</div>
</div>
</div>
<div dir="auto">
<div>
<div>Scratch that. Was thinking oauth
resource and tokens. </div>
<div><br>
</div>
<div>Not sure the same would exist
here. </div>
<div><br>
Phil</div>
<div><br>
On Aug 24, 2016, at 8:17 AM, Phil Hunt
(IDM) via Openid-specs-ab <<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div>It may be useful to include the
original session expiry time or
make the exp match the original id
token. If the service isn't
tracking state of sessions it
needs to know for how much longer
an id token might show up in order
to keep its revocation list
managed over time. <br>
<br>
Phil</div>
<div><br>
On Aug 24, 2016, at 5:58 AM, Mike
Jones via Openid-specs-ab <<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(0,32,96)">Good
catch, Filip. I’d
replaced “exp” (expiration
time) with “iat” (issued
at) to align it with the
ID Events spec
<a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-hunt-idevent-token-03"
target="_blank">https://tools.ietf.org/html/dr<wbr>aft-hunt-idevent-token-03</a>.
But I’d also wanted to ask
the working group – do we
want to retain an explicit
expiration time in the
logout token?</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(0,32,96)"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(0,32,96)"> <wbr>
-- Mike</span></p>
<p class="MsoNormal"><a
moz-do-not-send="true"
name="m_-340934913959585311_m_-6451222161882914121_m_1139175348912087870_m_-1734851180359783533__MailEndCompose"><span
style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(0,32,96)"> </span></a></p>
<span></span>
<p class="MsoNormal"><b><span
style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11pt;font-family:"Calibri",sans-serif"> Filip
[<a moz-do-not-send="true"
href="mailto:panva.ip@gmail.com" target="_blank">mailto:panva.ip@gmail.com</a>]
<br>
<b>Sent:</b> Wednesday,
August 24, 2016 1:24 AM<br>
<b>To:</b> Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com"
target="_blank">Michael.Jones@microsoft.com</a>><br>
<b>Cc:</b> <a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.n<wbr>et</a><br>
<b>Subject:</b> Re:
[Openid-specs-ab] Session
ID semantics aligned
across OpenID Connect
front-channel and
back-channel logout specs</span></p>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">Hello,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">reviewing
the changes i noticed in
Section 2.4 of
Backchannel draft 03 the
'exp' claim got removed
from Logout Token
claims, however section
4 still recomends OPs to
use short expiration
times for their Logout
Tokens. It is not clear
enough if 'exp' should
be present or not.</p>
</div>
<div>
<p class="MsoNormal"><br
clear="all">
</p>
<div>
<div>
<p class="MsoNormal">Best
Regards,<br>
<b>Filip Skokan</b></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On
Wed, Aug 24, 2016 at
3:44 AM, Mike Jones
via Openid-specs-ab
<<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>>
wrote:</p>
<blockquote
style="border-width:medium
medium medium
1pt;border-style:none
none none
solid;border-color:-moz-use-text-color
-moz-use-text-color
-moz-use-text-color
rgb(204,204,204);padding:0in
0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p
class="MsoNormal">Session
ID definitions
in the OpenID
Connect
front-channel
and back-channel
logout specs
have been
aligned so that
the Session ID
definition is
now the same in
both specs. The
Session ID is
scoped to the
Issuer in both
specs now
(whereas it was
previously
global in scope
in the
front-channel
spec). This
means that the
issuer value now
needs to be
supplied
whenever the
Session ID is.
This doesn’t
change the
simple
(no-parameter)
front-channel
logout
messages. The
back-channel
specification is
now also aligned
with the ID
Event Token
specification.</p>
<p
class="MsoNormal"> </p>
<p
class="MsoNormal">The
new
specification
versions are:</p>
<p><span
style="font-family:Symbol">·</span><span
style="font-size:7pt"> </span>
<a
moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-frontchannel-1_0-01.html"
target="_blank">http://openid.net/specs/openid<wbr>-connect-frontchannel-1_0-01.h<wbr>tml</a></p>
<p><span
style="font-family:Symbol">·</span><span
style="font-size:7pt"> </span>
<a
moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-backchannel-1_0-03.html"
target="_blank">http://openid.net/specs/openid<wbr>-connect-backchannel-1_0-03.ht<wbr>ml</a></p>
<p
class="MsoNormal"><span
style="color:rgb(136,136,136)"> </span></p>
<p
class="MsoNormal"><span
style="color:rgb(136,136,136)"> <wbr>
-- Mike</span></p>
<p
class="MsoNormal"> </p>
<p
class="MsoNormal">P.S.
This notice was
also posted at <a
moz-do-not-send="true" href="http://self-issued.info/?p=1599"
target="_blank">
http://self-issued.info/?p=159<wbr>9</a> and as <a
moz-do-not-send="true"
href="https://twitter.com/selfissued" target="_blank">
@selfissued</a>.</p>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12pt"><br>
______________________________<wbr>_________________<br>
Openid-specs-ab
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a><br>
<a
moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a></p>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>______________________________<wbr>_________________</span><br>
<span>Openid-specs-ab mailing
list</span><br>
<span><a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a></span><br>
<span><a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
</div>
</blockquote>
<blockquote type="cite">
<div><span>______________________________<wbr>_________________</span><br>
<span>Openid-specs-ab mailing list</span><br>
<span><a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a></span><br>
<span><a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
</div>
</div>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.n<wbr>et</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>