Subversion Repositories specifications

Compare Revisions

Rev 607 → Rev 608

connect/1.0/openid-connect-frontchannel-1_0.xml
23,7 → 23,7
 
<front>
<title abbrev="OpenID Connect Front-Channel Logout 1.0">OpenID Connect
Front-Channel Logout 1.0 - draft 00</title>
Front-Channel Logout 1.0 - draft 01</title>
 
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Microsoft">Microsoft</organization>
33,7 → 33,7
</address>
</author>
 
<date day="19" month="February" year="2016" />
<date day="23" month="August" year="2016" />
 
<workgroup>OpenID Connect Working Group</workgroup>
 
113,11 → 113,10
 
<section anchor="Terminology" title="Terminology">
<t>
This specification uses the terms "Access Token", "Authorization Code",
"Authorization Endpoint", "Authorization Grant", "Authorization Server",
"Client", "Client Identifier", "Client Secret",
"Protected Resource", "Redirection URI", "Refresh Token",
"Resource Owner", "Resource Server", "Response Type", and "Token Endpoint"
This specification uses the terms
"Authorization Server",
"Client", "Client Identifier",
and "Redirection URI"
defined by <xref target="RFC6749">OAuth 2.0</xref>,
the term "User Agent" defined by <xref target="RFC7230">RFC 7230</xref>,
and the terms defined by
161,7 → 160,7
The logout URI MUST NOT include a fragment component.
</t>
<t>
The OP renders <spanx style="verb">&lt;iframe src="logout_uri"&gt;</spanx>
The OP renders <spanx style="verb">&lt;iframe src="frontchannel_logout_uri"&gt;</spanx>
in a page with the registered logout URI as the source
to trigger the logout actions by the RP.
Upon receiving a request to render the logout URI in an iframe,
198,9 → 197,15
OPTIONAL.
RP URL that will cause the RP to log itself out
when rendered in an iframe by the OP.
A <spanx style="verb">sid</spanx> (session ID) query parameter MAY be included
An <spanx style="verb">iss</spanx> (issuer) query parameter and
a <spanx style="verb">sid</spanx> (session ID) query parameter
MAY be included
by the OP to enable the RP to validate the request and to determine
which of the potentially multiple sessions is to be logged out.
If a <spanx style="verb">sid</spanx> (session ID) query parameter
is included,
an <spanx style="verb">iss</spanx> (issuer) query parameter
MUST also be included.
</t>
</list>
</t>
213,9 → 218,10
<vspace/>
OPTIONAL.
Boolean value specifying whether the RP requires that
a <spanx style="verb">sid</spanx> (session ID)
query parameter be included to identify the RP session with the OP
when the <spanx style="verb">logout_uri</spanx> is used.
<spanx style="verb">iss</spanx> (issuer)
and <spanx style="verb">sid</spanx> (session ID)
query parameters be included to identify the RP session with the OP
when the <spanx style="verb">frontchannel_logout_uri</spanx> is used.
If omitted, the default value is <spanx style="verb">false</spanx>.
</t>
</list>
229,7 → 235,7
at their logout URIs to cause them to log out.
Some OPs track this state using a "visited sites" cookie.
OPs contact them in parallel using a dynamically constructed page
with HTML <spanx style="verb">&lt;iframe src="logout_uri"&gt;</spanx> tags
with HTML <spanx style="verb">&lt;iframe src="frontchannel_logout_uri"&gt;</spanx> tags
rendering each logged-in RP's logout URI.
</t>
<t>
257,9 → 263,10
<vspace/>
OPTIONAL.
Boolean value specifying whether the OP can pass
a <spanx style="verb">sid</spanx> (session ID)
query parameter to identify the RP session with the OP
when the <spanx style="verb">logout_uri</spanx> is used.
<spanx style="verb">iss</spanx> (issuer)
and <spanx style="verb">sid</spanx> (session ID)
query parameters to identify the RP session with the OP
when the <spanx style="verb">frontchannel_logout_uri</spanx> is used.
If supported, the <spanx style="verb">sid</spanx> Claim is also included
in ID Tokens issued by the OP.
If omitted, the default value is <spanx style="verb">false</spanx>.
268,24 → 275,55
</t>
<t>
The <spanx style="verb">sid</spanx> (session ID) Claim used in ID Tokens and
as a <spanx style="verb">logout_uri</spanx> parameter has the following definition:
as a <spanx style="verb">frontchannel_logout_uri</spanx> parameter has the following definition:
</t>
<t>
<list style="hanging">
<t hangText="sid (session ID)"> <!-- Should be synchronized with openid-connect-backchannel-1_0.xml -->
<t hangText="sid">
<vspace/>
OPTIONAL.
String identifier for a Session.
This represents a Session of an OP at an RP
to a User Agent or device for a logged-in End-User.
Its contents are unique to the OP and opaque to the RP.
It MUST have sufficient entropy to prevent
collisions between Session IDs generated by different OPs
and to prevent it from being guessed by potential attackers.
Session ID - String identifier for a Session.
This represents a Session of a User Agent or device
for a logged-in End-User at an RP.
Different <spanx style="verb">sid</spanx> values are used to identify
distinct sessions at an OP.
The <spanx style="verb">sid</spanx> value need only be unique
in the context of a particular issuer.
Its contents are opaque to the RP.
Its syntax is the same as an OAuth 2.0 Client Identifier.
</t>
</list>
</t>
 
<section anchor="ExampleFrontchannel" title="Example Front-Channel Logout URL Usage">
<t>
In this non-normative example,
the RP has registered the <spanx style="verb">frontchannel_logout_uri</spanx>
value <spanx style="verb">https://rp.example.org/frontchannel_logout"</spanx>
with the OP.
In the simple case,
in which <spanx style="verb">frontchannel_logout_session_required</spanx> is false,
the OP causes the front-channel logout to occur by rendering this URL in an iframe:
</t>
<figure><artwork><![CDATA[
https://rp.example.org/frontchannel_logout
]]></artwork></figure>
<t>
In a second example,
in which <spanx style="verb">frontchannel_logout_session_required</spanx> is true,
Issuer and Session ID values are also sent.
This example uses an Issuer value of <spanx style="verb">https://server.example.com</spanx>
and a Session ID value of <spanx style="verb">08a5019c-17e1-4977-8f42-65a12843ea02</spanx>.
In this case,
the OP causes the front-channel logout to occur by rendering this URL in an iframe
(with line breaks for display purposes only):
</t>
<figure><artwork><![CDATA[
https://rp.example.org/frontchannel_logout
?iss=https://server.example.com
&sid=08a5019c-17e1-4977-8f42-65a12843ea02
]]></artwork></figure>
</section>
</section>
 
<section anchor="RPInitiated" title="RP-Initiated Logout Functionality">
392,7 → 430,7
<t> <?rfc subcompact="yes"?>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">logout_uri</spanx>
Client Metadata Name: <spanx style="verb">frontchannel_logout_uri</spanx>
</t>
<t>
Client Metadata Description:
417,7 → 455,7
Boolean value specifying whether the RP requires that
a <spanx style="verb">sid</spanx> (session ID)
query parameter be included to identify the RP session with the OP
when the <spanx style="verb">logout_uri</spanx> is used
when the <spanx style="verb">frontchannel_logout_uri</spanx> is used
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
542,7 → 580,7
<organization abbrev="Illumila">Illumila</organization>
</author>
 
<date day="19" month="February" year="2016" />
<date day="23" month="August" year="2016" />
</front>
</reference>
 
558,7 → 596,7
<organization abbrev="Ping Identity">Ping Identity</organization>
</author>
 
<date day="19" month="February" year="2016" />
<date day="23" month="August" year="2016" />
</front>
</reference>
 
669,6 → 707,21
<t>[[ To be removed from the final specification ]]</t>
 
<t>
-01
<list style="symbols">
<t>
Scoped Session ID to be Issuer-specific, aligning it with the back-channel logout usage.
</t>
<t>
Finished changing uses of "logout_uri" to "frontchannel_logout_uri".
</t>
<t>
Removed references to terms that are not used.
</t>
</list>
</t>
 
<t>
-00
<list style="symbols">
<t>
connect/1.0/openid-connect-session-1_0.xml
24,7 → 24,7
 
<front>
<title abbrev="OpenID Connect Session Management 1.0">OpenID Connect
Session Management 1.0 - draft 26</title>
Session Management 1.0 - draft 27</title>
 
<author fullname="Breno de Medeiros" initials="B." surname="de Medeiros">
<organization>Google</organization>
66,7 → 66,7
</address>
</author>
 
<date day="19" month="February" year="2016" />
<date day="23" month="August" year="2016" />
 
<workgroup>OpenID Connect Working Group</workgroup>
 
138,11 → 138,9
 
<section anchor="Terminology" title="Terminology">
<t>
This specification uses the terms "Access Token", "Authorization Code",
"Authorization Endpoint", "Authorization Grant", "Authorization Server",
"Client", "Client Identifier", "Client Secret",
"Protected Resource", "Redirection URI", "Refresh Token",
"Resource Owner", "Resource Server", "Response Type", and "Token Endpoint"
This specification uses the terms
"Authorization Endpoint", "Authorization Server",
"Client", and "Client Identifier"
defined by <xref target="RFC6749">OAuth 2.0</xref>,
the term "User Agent" defined by <xref target="RFC7230">RFC 7230</xref>,
and the terms defined by
820,7 → 818,7
<organization abbrev="Microsoft">Microsoft</organization>
</author>
 
<date day="19" month="February" year="2016" />
<date day="23" month="August" year="2016" />
</front>
</reference>
 
836,7 → 834,7
<organization abbrev="Ping Identity">Ping Identity</organization>
</author>
 
<date day="19" month="February" year="2016" />
<date day="23" month="August" year="2016" />
</front>
</reference>
 
922,6 → 920,15
<t>[[ To be removed from the final specification ]]</t>
 
<t>
-27
<list style="symbols">
<t>
Removed references to terms that are not used.
</t>
</list>
</t>
 
<t>
-26
<list style="symbols">
<t>
connect/1.0/openid-connect-backchannel-1_0.xml
23,7 → 23,7
 
<front>
<title abbrev="OpenID Connect Back-Channel Logout 1.0">OpenID Connect
Back-Channel Logout 1.0 - draft 02</title>
Back-Channel Logout 1.0 - draft 03</title>
 
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Microsoft">Microsoft</organization>
41,7 → 41,7
</address>
</author>
 
<date day="19" month="February" year="2016" />
<date day="23" month="August" year="2016" />
 
<workgroup>OpenID Connect Working Group</workgroup>
 
132,6 → 132,7
<section anchor="Terminology" title="Terminology">
<t>
This specification uses the terms
"Authorization Server",
"Client", "Client Identifier", and "Redirection URI"
defined by <xref target="RFC6749">OAuth 2.0</xref>,
the term "User Agent" defined by <xref target="RFC7230">RFC 7230</xref>,
283,10 → 284,10
Audience(s), as specified in Section 2 of <xref target="OpenID.Core"/>.
</t>
 
<t hangText="exp">
<t hangText="iat">
<vspace/>
REQUIRED.
Expiration time, as specified in Section 2 of <xref target="OpenID.Core"/>.
Issued at time, as specified in Section 2 of <xref target="OpenID.Core"/>.
</t>
 
<t hangText="jti">
295,21 → 296,26
Unique identifier for the token, as specified in Section 9 of <xref target="OpenID.Core"/>.
</t>
 
<t hangText="logout_only">
<t hangText="events">
<vspace/>
REQUIRED.
Value declaring that this JWT is only to be used as a Logout Token.
In particular, this JWT cannot be used in any context where an ID Token is used.
The value of this Claim MUST be the JSON boolean value <spanx style="verb">true</spanx>.
Claim whose value is an array of strings,
the first of which is
<spanx style="verb">http://schemas.openid.net/event/backchannel-logout</spanx>.
This declares that the JWT is a Logout Token.
</t>
 
<t hangText="sid"> <!-- TBD: Should be synchronized with "sid" in openid-connect-frontchannel-1_0.xml -->
<t hangText="sid">
<vspace/>
OPTIONAL.
Session ID - String identifier for a Session.
This represents a Session of an OP at an RP
to a User Agent or device for a logged-in End-User.
Its contents are unique to the OP and opaque to the RP.
This represents a Session of a User Agent or device
for a logged-in End-User at an RP.
Different <spanx style="verb">sid</spanx> values are used to identify
distinct sessions at an OP.
The <spanx style="verb">sid</spanx> value need only be unique
in the context of a particular issuer.
Its contents are opaque to the RP.
Its syntax is the same as an OAuth 2.0 Client Identifier.
</t>
 
337,6 → 343,8
A Logout Token MUST be signed and MAY also be encrypted.
The same keys are used to sign and encrypt Logout Tokens
as are used for ID Tokens.
NOTE: The Logout Token is compatible with
<xref target="I-D.hunt-idevent-token">Security Event Token (SET)</xref> draft -03.
</t>
<figure>
<preamble>
347,10 → 355,10
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"exp": 1458668580,
"iat": 1471566154,
"jti": "bWJq",
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02",
"logout_only": true
"events": [ "http://schemas.openid.net/event/backchannel-logout" ]
}
]]></artwork>
</figure>
408,13 → 416,15
<t>
Validate the <spanx style="verb">iss</spanx>,
<spanx style="verb">aud</spanx>,
and <spanx style="verb">exp</spanx>
and <spanx style="verb">iat</spanx>
Claims in the same way they are validated in ID Tokens.
</t>
<t>
Verify that the Logout Token contains a
<spanx style="verb">logout_only</spanx> Claim
with the value <spanx style="verb">true</spanx>.
Verify that the Logout Token contains an
<spanx style="verb">events</spanx> Claim
whose value is an array of strings,
the first of which is
<spanx style="verb">http://schemas.openid.net/event/backchannel-logout</spanx>.
</t>
<t>
Verify that the Logout Token does not contain a
509,34 → 519,6
 
<section anchor="IANA" title="IANA Considerations">
 
<section anchor="ClaimsRegistration" title="JSON Web Token Claims Registration">
<t>
This specification registers the following Claim in the IANA
"JSON Web Token Claims" registry <xref target="IANA.JWT.Claims"/>
established by <xref target="JWT"/>.
</t>
 
<section anchor='ClaimsContents' title='Registry Contents'>
<t> <?rfc subcompact="yes"?>
<list style='symbols'>
<t>
Claim Name: <spanx style="verb">logout_only</spanx>
</t>
<t>
Claim Description: Logout Only
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
</t>
<t>
Specification Document(s): <xref target="LogoutToken"/> of this specification
</t>
</list>
</t>
</section>
<?rfc subcompact="no"?>
</section>
 
<section anchor="DynRegRegistration" title="OAuth Dynamic Client Registration Metadata Registration">
<t>
This specification registers the following client metadata definitions
679,7 → 661,7
<organization abbrev="Microsoft">Microsoft</organization>
</author>
 
<date day="19" month="February" year="2016" />
<date day="23" month="August" year="2016" />
</front>
</reference>
 
711,7 → 693,7
<organization abbrev="Illumila">Illumila</organization>
</author>
 
<date day="19" month="February" year="2016" />
<date day="23" month="August" year="2016" />
</front>
</reference>
 
773,7 → 755,7
 
<references title="Informative References">
<?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7591"?>
 
<?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.draft-hunt-idevent-token-03.xml" ?>
</references>
 
<section anchor="Acknowledgements" title="Acknowledgements">
834,6 → 816,18
<t>[[ To be removed from the final specification ]]</t>
 
<t>
-03
<list style="symbols">
<t>
Changed from using a <spanx style="verb">logout_only</spanx> claim
to using a logout event in the Logout Token.
The Logout Token is compatible with
<xref target="I-D.hunt-idevent-token">Security Event Token (SET)</xref> draft -03.
</t>
</list>
</t>
 
<t>
-02
<list style="symbols">
<t>