<div><div dir="auto">Can you clarify or elaborate on what you’re saying on your last email? I don’t quite follow. Thanks </div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Aug 31, 2019 at 11:04 AM Filip Skokan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">That of course comes from the POV where killing a session is comparable to a no-op and maybe that the session is only dropped if the client has been encountered in it?<div><div><br><div id="m_3685774108304474374AppleMailSignature" dir="ltr">Odesláno z iPhonu</div><div dir="ltr"><br>31. 8. 2019 v 8:49, Filip Skokan <<a href="mailto:panva.ip@gmail.com" target="_blank">panva.ip@gmail.com</a>>:<br><br></div></div></div></div><div dir="auto"><div><div><blockquote type="cite"><div dir="ltr"><div>Hi Phil, everyone,</div><div><br></div><a href="https://bitbucket.org/openid/connect/issues/1087/rp-initiated-logout-insufficient" target="_blank">https://bitbucket.org/openid/connect/issues/1087/rp-initiated-logout-insufficient</a><div><br></div><div>An issue i opened on the subject a while back with no group response. </div><div><br></div><div>I always assumed the exp is to be ignored because of the short ttl nature of an id token.</div><div><br><div id="m_3685774108304474374AppleMailSignature" dir="ltr">Odesláno z iPhonu</div><div dir="ltr"><br>31. 8. 2019 v 2:26, Phil Hunt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>:<br><br></div><blockquote type="cite"><div dir="ltr">A question has arisen based on differences observed in multiple implementations.<div><br></div><div>When executing front channel logout per the session management spec it is unclear what the response should be if “id_token_hint” contains an expired token.  The processing rules allow you to ignore audience but they say nothing about an expired token.</div><div><br></div><div><dl><dt style="color:rgb(0,0,0);font-family:verdana,charcoal,helvetica,arial,sans-serif">id_token_hint</dt><dd style="color:rgb(0,0,0);font-family:verdana,charcoal,helvetica,arial,sans-serif">RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an <tt style="color:rgb(0,51,102);font-family:"Courier New",Courier,monospace;font-size:small">id_token_hint</tt> value.</dd></dl><div><br></div></div><div>Section 6 says…</div><div><span style="color:rgb(0,0,0);font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small;background-color:rgb(255,255,255)">"If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used."</span></div><div><span style="color:rgb(0,0,0);font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small;background-color:rgb(255,255,255)"><br></span></div><div><span style="color:rgb(0,0,0);font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small;background-color:rgb(255,255,255)">The problem is, the spec never calls for the token to be validated but it does say you can skip the audience.</span></div><div><span style="color:rgb(0,0,0);font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small;background-color:rgb(255,255,255)"><br></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif" size="2"><span>In this case what is the correct response?  It seems like an error should be returned.  Though killing an expired session doesn’t seem like much more than a no-op.  It seems like this would provide better UX.</span></font></span></div><div><span style="color:rgb(0,0,0);font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small;background-color:rgb(255,255,255)"><br></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif" size="2">The concern is that if accepted it might be used as a DoS attack to cause the redirect url to be invoked when it shouldn’t.</font></span></div><div><span style="color:rgb(0,0,0);font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small;background-color:rgb(255,255,255)"><br></span></div><div><div>
<div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="word-wrap:break-word;line-break:after-white-space"><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Phil Hunt | OCI IDCS Cloud Identity & Security Architect</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Oracle Corporation, Oracle Cloud Infrastructure</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">@independentid</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="http://www.independentid.com" target="_blank">www.independentid.com</a></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><br class="m_3685774108304474374Apple-interchange-newline"></div></div><br class="m_3685774108304474374Apple-interchange-newline"></div><br class="m_3685774108304474374Apple-interchange-newline"></div><br class="m_3685774108304474374Apple-interchange-newline"></div><br class="m_3685774108304474374Apple-interchange-newline"></div><br class="m_3685774108304474374Apple-interchange-newline"><br class="m_3685774108304474374Apple-interchange-newline">
</div>

<br></div></div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></div></div></blockquote></div></div></div>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br>-Brock<br><br></div>