<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Hi,<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Nonce in the logout JWT is prohibited
</span>to make a Logout Token syntactically invalid compared to an id_token.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Wouldn’t it be more secure to use another signing key than the id_token signing key?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Prohibiting nonce is a hack.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Kind regards<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Axel<span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">The following Claim MUST NOT be used within the Logout Token:
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">nonce<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:72.0pt"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">PROHIBITED. A
</span><span style="font-size:10.0pt;font-family:"Courier New"">nonce</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""> Claim MUST NOT be present. Its use is prohibited to make a Logout Token syntactically invalid if used in a forged
Authentication Response in place of an ID Token. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Logout Tokens MAY contain other Claims. Any Claims used that are not understood MUST be ignored.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">A Logout Token MUST be signed and MAY also be encrypted. The same keys are used to sign and encrypt Logout Tokens
as are used for ID Tokens. NOTE: The Logout Token is compatible with <a href="http://openid.net/specs/openid-connect-backchannel-1_0.html#I-D.ietf-secevent-token">
Security Event Token (SET)</a> [I‑D.ietf‑secevent‑token] draft -00. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Nennker, Axel
<br>
<b>Sent:</b> Thursday, March 16, 2017 12:49 PM<br>
<b>To:</b> Mike Jones (Michael.Jones@microsoft.com); John Bradley (ve7jtb@ve7jtb.com)<br>
<b>Cc:</b> openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> backchannel logout: events<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regarding https://openid.net/specs/openid-connect-backchannel-1_0.html<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am wondering what the reason behind events is:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">events<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">REQUIRED. Claim whose value is a JSON object containing the member name
</span><span style="font-size:10.0pt;font-family:"Courier New"">http://schemas.openid.net/event/backchannel-logout</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">. This declares that the JWT is a Logout Token. The corresponding member
value MUST be a JSON object and SHOULD be the empty JSON object </span><span style="font-size:10.0pt;font-family:"Courier New"">{}</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">.
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">The reason, I think, to have “events” is to make the logout JWT compatible to SET: https://tools.ietf.org/html/draft-ietf-secevent-token-01<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">But SET states: “Security Events are not commands issued between parties”<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">While openid-connect-backchannel-1_0.html JWT is a command.<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">If we want SET compatibility wouldn’t it make more sense to have a SET compatible response to the logout command?<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">Why is SET compatibility important? Is it important enough to justify this really strange type specifier?<o:p></o:p></p>
<pre>"events": {<o:p></o:p></pre>
<pre> "http://schemas.openid.net/event/backchannel-logout": {}<o:p></o:p></pre>
<pre> }<o:p></o:p></pre>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">Kind regards<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">Axel<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";text-transform:uppercase">Deutsche Telekom AG<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif"">T-Labs (Research & Innovation)<br>
Dipl.-Inform. Axel Nennker<br>
Winterfeldtstr. 21, 10781 Berlin<br>
</span><span lang="FR" style="font-size:8.0pt;font-family:"Arial","sans-serif"">+491702275312 (Mobile)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="font-size:8.0pt;font-family:"Arial","sans-serif"">E-Mail: axel.nennker@telekom.de</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
</body>
</html>