<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
thanks for the clarification, Mike.<br>
<br>
<div class="moz-cite-prefix">Am 16.11.2016 um 19:04 schrieb Mike
Jones:<br>
</div>
<blockquote
cite="mid:BN3PR03MB2355125DE84E85BD575537A6F5BE0@BN3PR03MB2355.namprd03.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#002060;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#002060;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">The
“sid” claim is defined at
<a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout">http://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout</a>.
This definition is referenced from
<a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-backchannel-1_0.html">http://openid.net/specs/openid-connect-backchannel-1_0.html</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">By
design, the SET spec leaves it up to the individual security
event definition what claims are required to be present in
the event, both as top-level claims and as claims in the
event-specific data structure. (This is very parallel to
how the JWT spec, by design doesn’t mandate *<b>any</b>*
particular claims in a conforming JWT. This flexibility has
facilitated adoption of JWTs for very different use cases.)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">Being
SET-compliant is defined at
<a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-hunt-idevent-token-06#section-2">https://tools.ietf.org/html/draft-hunt-idevent-token-06#section-2</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">Thanks
for thinking about and reviewing all this, Torsten.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
Torsten Lodderstedt [<a class="moz-txt-link-freetext" href="mailto:torsten@lodderstedt.net">mailto:torsten@lodderstedt.net</a>]
<br>
<b>Sent:</b> Wednesday, November 16, 2016 6:54 PM<br>
<b>To:</b> Mike Jones
<a class="moz-txt-link-rfc2396E" href="mailto:Michael.Jones@microsoft.com"><Michael.Jones@microsoft.com></a>; Phil Hunt
<a class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com"><phil.hunt@oracle.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Backchannel Logout
& SET<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Mike,<br>
<br>
where is the sid claim defined? And what is the meaing of SET
compliant?<br>
<br>
best regards,<br>
Torsten.<o:p></o:p></p>
<div>
<p class="MsoNormal">Am 16.11.2016 um 17:25 schrieb Mike
Jones:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">“sid”
is no more event-specific than “iss” and “sub” are. All
of these are defined as top-level JWT claims across the
Connect spec family. This is been extensively discussed
on working group calls and on the list. The conclusion
has always been to keep the logout token claims usage
parallel to that in the ID Token. Unnecessary differences
tend to be counter-productive.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060">
-- Mike</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Openid-specs-ab [<a moz-do-not-send="true"
href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Phil Hunt via Openid-specs-ab<br>
<b>Sent:</b> Wednesday, November 16, 2016 3:19 PM<br>
<b>To:</b> Torsten Lodderstedt <a
moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net"><a class="moz-txt-link-rfc2396E" href="mailto:torsten@lodderstedt.net"><torsten@lodderstedt.net></a></a><br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Backchannel
Logout & SET</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">+1…. but we might want to hold off till I
rev the SET draft based on today’s proposed format change
proposed by Justin on the idevents mailing list. <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I’ll try to get that published as quick
as I can.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Phil<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">@independentid<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a
moz-do-not-send="true"
href="http://www.independentid.com"><a class="moz-txt-link-abbreviated" href="http://www.independentid.com">www.independentid.com</a></a><o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Nov 16, 2016, at 11:56 AM,
Torsten Lodderstedt via Openid-specs-ab <<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"><a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a></a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Hi all,<br>
<br>
I wondering about the consequences of the
following statement: "NOTE: The Logout Token is
compatible with Security Event Token (SET)
[I‑D.hunt‑idevent‑token] draft -03."<br>
<br>
I think "sid" is an event-specific attribute and
if I understand SET correctly, it therefore needs
to go in the additional event data underneath an
element "<a moz-do-not-send="true"
href="http://schemas.openid.net/event/backchannel-logout">http://schemas.openid.net/event/backchannel-logout</a>".<br>
<br>
I think the example<br>
<br>
{<br>
"iss": "<a moz-do-not-send="true"
href="https://server.example.com">https://server.example.com</a>",<br>
"sub": "248289761001",<br>
"aud": "s6BhdRkqt3",<br>
"iat": 1471566154,<br>
"jti": "bWJq",<br>
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02",<br>
"events": [ "<a moz-do-not-send="true"
href="http://schemas.openid.net/event/backchannel-logout">http://schemas.openid.net/event/backchannel-logout</a>"
]<br>
}<br>
<br>
should modified to look as follows<br>
<br>
{<br>
"iss": "<a moz-do-not-send="true"
href="https://server.example.com">https://server.example.com</a>",<br>
"sub": "248289761001",<br>
"aud": "s6BhdRkqt3",<br>
"iat": 1471566154,<br>
"jti": "bWJq",<br>
"events": [ "<a moz-do-not-send="true"
href="http://schemas.openid.net/event/backchannel-logout">http://schemas.openid.net/event/backchannel-logout</a>"
]<br>
"<a moz-do-not-send="true"
href="http://schemas.openid.net/event/backchannel-logout">http://schemas.openid.net/event/backchannel-logout</a>":{<br>
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02"<br>
}<br>
}<br>
<br>
What do you think?<br>
<br>
best regards,<br>
Torsten.<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>