/connect
|
<front> |
<title abbrev="OpenID Connect Front-Channel Logout 1.0">OpenID Connect |
Front-Channel Logout 1.0 - draft 00</title> |
Front-Channel Logout 1.0 - draft 01</title> |
|
<author fullname="Michael B. Jones" initials="M.B." surname="Jones"> |
<organization abbrev="Microsoft">Microsoft</organization> |
</address> |
</author> |
|
<date day="19" month="February" year="2016" /> |
<date day="23" month="August" year="2016" /> |
|
<workgroup>OpenID Connect Working Group</workgroup> |
|
|
<section anchor="Terminology" title="Terminology"> |
<t> |
This specification uses the terms "Access Token", "Authorization Code", |
"Authorization Endpoint", "Authorization Grant", "Authorization Server", |
"Client", "Client Identifier", "Client Secret", |
"Protected Resource", "Redirection URI", "Refresh Token", |
"Resource Owner", "Resource Server", "Response Type", and "Token Endpoint" |
This specification uses the terms |
"Authorization Server", |
"Client", "Client Identifier", |
and "Redirection URI" |
defined by <xref target="RFC6749">OAuth 2.0</xref>, |
the term "User Agent" defined by <xref target="RFC7230">RFC 7230</xref>, |
and the terms defined by |
The logout URI MUST NOT include a fragment component. |
</t> |
<t> |
The OP renders <spanx style="verb"><iframe src="logout_uri"></spanx> |
The OP renders <spanx style="verb"><iframe src="frontchannel_logout_uri"></spanx> |
in a page with the registered logout URI as the source |
to trigger the logout actions by the RP. |
Upon receiving a request to render the logout URI in an iframe, |
OPTIONAL. |
RP URL that will cause the RP to log itself out |
when rendered in an iframe by the OP. |
A <spanx style="verb">sid</spanx> (session ID) query parameter MAY be included |
An <spanx style="verb">iss</spanx> (issuer) query parameter and |
a <spanx style="verb">sid</spanx> (session ID) query parameter |
MAY be included |
by the OP to enable the RP to validate the request and to determine |
which of the potentially multiple sessions is to be logged out. |
If a <spanx style="verb">sid</spanx> (session ID) query parameter |
is included, |
an <spanx style="verb">iss</spanx> (issuer) query parameter |
MUST also be included. |
</t> |
</list> |
</t> |
<vspace/> |
OPTIONAL. |
Boolean value specifying whether the RP requires that |
a <spanx style="verb">sid</spanx> (session ID) |
query parameter be included to identify the RP session with the OP |
when the <spanx style="verb">logout_uri</spanx> is used. |
<spanx style="verb">iss</spanx> (issuer) |
and <spanx style="verb">sid</spanx> (session ID) |
query parameters be included to identify the RP session with the OP |
when the <spanx style="verb">frontchannel_logout_uri</spanx> is used. |
If omitted, the default value is <spanx style="verb">false</spanx>. |
</t> |
</list> |
at their logout URIs to cause them to log out. |
Some OPs track this state using a "visited sites" cookie. |
OPs contact them in parallel using a dynamically constructed page |
with HTML <spanx style="verb"><iframe src="logout_uri"></spanx> tags |
with HTML <spanx style="verb"><iframe src="frontchannel_logout_uri"></spanx> tags |
rendering each logged-in RP's logout URI. |
</t> |
<t> |
<vspace/> |
OPTIONAL. |
Boolean value specifying whether the OP can pass |
a <spanx style="verb">sid</spanx> (session ID) |
query parameter to identify the RP session with the OP |
when the <spanx style="verb">logout_uri</spanx> is used. |
<spanx style="verb">iss</spanx> (issuer) |
and <spanx style="verb">sid</spanx> (session ID) |
query parameters to identify the RP session with the OP |
when the <spanx style="verb">frontchannel_logout_uri</spanx> is used. |
If supported, the <spanx style="verb">sid</spanx> Claim is also included |
in ID Tokens issued by the OP. |
If omitted, the default value is <spanx style="verb">false</spanx>. |
</t> |
<t> |
The <spanx style="verb">sid</spanx> (session ID) Claim used in ID Tokens and |
as a <spanx style="verb">logout_uri</spanx> parameter has the following definition: |
as a <spanx style="verb">frontchannel_logout_uri</spanx> parameter has the following definition: |
</t> |
<t> |
<list style="hanging"> |
<t hangText="sid (session ID)"> <!-- Should be synchronized with openid-connect-backchannel-1_0.xml --> |
<t hangText="sid"> |
<vspace/> |
OPTIONAL. |
String identifier for a Session. |
This represents a Session of an OP at an RP |
to a User Agent or device for a logged-in End-User. |
Its contents are unique to the OP and opaque to the RP. |
It MUST have sufficient entropy to prevent |
collisions between Session IDs generated by different OPs |
and to prevent it from being guessed by potential attackers. |
Session ID - String identifier for a Session. |
This represents a Session of a User Agent or device |
for a logged-in End-User at an RP. |
Different <spanx style="verb">sid</spanx> values are used to identify |
distinct sessions at an OP. |
The <spanx style="verb">sid</spanx> value need only be unique |
in the context of a particular issuer. |
Its contents are opaque to the RP. |
Its syntax is the same as an OAuth 2.0 Client Identifier. |
</t> |
</list> |
</t> |
|
<section anchor="ExampleFrontchannel" title="Example Front-Channel Logout URL Usage"> |
<t> |
In this non-normative example, |
the RP has registered the <spanx style="verb">frontchannel_logout_uri</spanx> |
value <spanx style="verb">https://rp.example.org/frontchannel_logout"</spanx> |
with the OP. |
In the simple case, |
in which <spanx style="verb">frontchannel_logout_session_required</spanx> is false, |
the OP causes the front-channel logout to occur by rendering this URL in an iframe: |
</t> |
<figure><artwork><![CDATA[ |
https://rp.example.org/frontchannel_logout |
]]></artwork></figure> |
<t> |
In a second example, |
in which <spanx style="verb">frontchannel_logout_session_required</spanx> is true, |
Issuer and Session ID values are also sent. |
This example uses an Issuer value of <spanx style="verb">https://server.example.com</spanx> |
and a Session ID value of <spanx style="verb">08a5019c-17e1-4977-8f42-65a12843ea02</spanx>. |
In this case, |
the OP causes the front-channel logout to occur by rendering this URL in an iframe |
(with line breaks for display purposes only): |
</t> |
<figure><artwork><![CDATA[ |
https://rp.example.org/frontchannel_logout |
?iss=https://server.example.com |
&sid=08a5019c-17e1-4977-8f42-65a12843ea02 |
]]></artwork></figure> |
</section> |
</section> |
|
<section anchor="RPInitiated" title="RP-Initiated Logout Functionality"> |
<t> <?rfc subcompact="yes"?> |
<list style="symbols"> |
<t> |
Client Metadata Name: <spanx style="verb">logout_uri</spanx> |
Client Metadata Name: <spanx style="verb">frontchannel_logout_uri</spanx> |
</t> |
<t> |
Client Metadata Description: |
Boolean value specifying whether the RP requires that |
a <spanx style="verb">sid</spanx> (session ID) |
query parameter be included to identify the RP session with the OP |
when the <spanx style="verb">logout_uri</spanx> is used |
when the <spanx style="verb">frontchannel_logout_uri</spanx> is used |
</t> |
<t> |
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net |
<organization abbrev="Illumila">Illumila</organization> |
</author> |
|
<date day="19" month="February" year="2016" /> |
<date day="23" month="August" year="2016" /> |
</front> |
</reference> |
|
<organization abbrev="Ping Identity">Ping Identity</organization> |
</author> |
|
<date day="19" month="February" year="2016" /> |
<date day="23" month="August" year="2016" /> |
</front> |
</reference> |
|
<t>[[ To be removed from the final specification ]]</t> |
|
<t> |
-01 |
<list style="symbols"> |
<t> |
Scoped Session ID to be Issuer-specific, aligning it with the back-channel logout usage. |
</t> |
<t> |
Finished changing uses of "logout_uri" to "frontchannel_logout_uri". |
</t> |
<t> |
Removed references to terms that are not used. |
</t> |
</list> |
</t> |
|
<t> |
-00 |
<list style="symbols"> |
<t> |
|
<front> |
<title abbrev="OpenID Connect Session Management 1.0">OpenID Connect |
Session Management 1.0 - draft 26</title> |
Session Management 1.0 - draft 27</title> |
|
<author fullname="Breno de Medeiros" initials="B." surname="de Medeiros"> |
<organization>Google</organization> |
</address> |
</author> |
|
<date day="19" month="February" year="2016" /> |
<date day="23" month="August" year="2016" /> |
|
<workgroup>OpenID Connect Working Group</workgroup> |
|
|
<section anchor="Terminology" title="Terminology"> |
<t> |
This specification uses the terms "Access Token", "Authorization Code", |
"Authorization Endpoint", "Authorization Grant", "Authorization Server", |
"Client", "Client Identifier", "Client Secret", |
"Protected Resource", "Redirection URI", "Refresh Token", |
"Resource Owner", "Resource Server", "Response Type", and "Token Endpoint" |
This specification uses the terms |
"Authorization Endpoint", "Authorization Server", |
"Client", and "Client Identifier" |
defined by <xref target="RFC6749">OAuth 2.0</xref>, |
the term "User Agent" defined by <xref target="RFC7230">RFC 7230</xref>, |
and the terms defined by |
<organization abbrev="Microsoft">Microsoft</organization> |
</author> |
|
<date day="19" month="February" year="2016" /> |
<date day="23" month="August" year="2016" /> |
</front> |
</reference> |
|
<organization abbrev="Ping Identity">Ping Identity</organization> |
</author> |
|
<date day="19" month="February" year="2016" /> |
<date day="23" month="August" year="2016" /> |
</front> |
</reference> |
|
<t>[[ To be removed from the final specification ]]</t> |
|
<t> |
-27 |
<list style="symbols"> |
<t> |
Removed references to terms that are not used. |
</t> |
</list> |
</t> |
|
<t> |
-26 |
<list style="symbols"> |
<t> |
|
<front> |
<title abbrev="OpenID Connect Back-Channel Logout 1.0">OpenID Connect |
Back-Channel Logout 1.0 - draft 02</title> |
Back-Channel Logout 1.0 - draft 03</title> |
|
<author fullname="Michael B. Jones" initials="M.B." surname="Jones"> |
<organization abbrev="Microsoft">Microsoft</organization> |
</address> |
</author> |
|
<date day="19" month="February" year="2016" /> |
<date day="23" month="August" year="2016" /> |
|
<workgroup>OpenID Connect Working Group</workgroup> |
|
<section anchor="Terminology" title="Terminology"> |
<t> |
This specification uses the terms |
"Authorization Server", |
"Client", "Client Identifier", and "Redirection URI" |
defined by <xref target="RFC6749">OAuth 2.0</xref>, |
the term "User Agent" defined by <xref target="RFC7230">RFC 7230</xref>, |
Audience(s), as specified in Section 2 of <xref target="OpenID.Core"/>. |
</t> |
|
<t hangText="exp"> |
<t hangText="iat"> |
<vspace/> |
REQUIRED. |
Expiration time, as specified in Section 2 of <xref target="OpenID.Core"/>. |
Issued at time, as specified in Section 2 of <xref target="OpenID.Core"/>. |
</t> |
|
<t hangText="jti"> |
Unique identifier for the token, as specified in Section 9 of <xref target="OpenID.Core"/>. |
</t> |
|
<t hangText="logout_only"> |
<t hangText="events"> |
<vspace/> |
REQUIRED. |
Value declaring that this JWT is only to be used as a Logout Token. |
In particular, this JWT cannot be used in any context where an ID Token is used. |
The value of this Claim MUST be the JSON boolean value <spanx style="verb">true</spanx>. |
Claim whose value is an array of strings, |
the first of which is |
<spanx style="verb">http://schemas.openid.net/event/backchannel-logout</spanx>. |
This declares that the JWT is a Logout Token. |
</t> |
|
<t hangText="sid"> <!-- TBD: Should be synchronized with "sid" in openid-connect-frontchannel-1_0.xml --> |
<t hangText="sid"> |
<vspace/> |
OPTIONAL. |
Session ID - String identifier for a Session. |
This represents a Session of an OP at an RP |
to a User Agent or device for a logged-in End-User. |
Its contents are unique to the OP and opaque to the RP. |
This represents a Session of a User Agent or device |
for a logged-in End-User at an RP. |
Different <spanx style="verb">sid</spanx> values are used to identify |
distinct sessions at an OP. |
The <spanx style="verb">sid</spanx> value need only be unique |
in the context of a particular issuer. |
Its contents are opaque to the RP. |
Its syntax is the same as an OAuth 2.0 Client Identifier. |
</t> |
|
A Logout Token MUST be signed and MAY also be encrypted. |
The same keys are used to sign and encrypt Logout Tokens |
as are used for ID Tokens. |
NOTE: The Logout Token is compatible with |
<xref target="I-D.hunt-idevent-token">Security Event Token (SET)</xref> draft -03. |
</t> |
<figure> |
<preamble> |
"iss": "https://server.example.com", |
"sub": "248289761001", |
"aud": "s6BhdRkqt3", |
"exp": 1458668580, |
"iat": 1471566154, |
"jti": "bWJq", |
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02", |
"logout_only": true |
"events": [ "http://schemas.openid.net/event/backchannel-logout" ] |
} |
]]></artwork> |
</figure> |
<t> |
Validate the <spanx style="verb">iss</spanx>, |
<spanx style="verb">aud</spanx>, |
and <spanx style="verb">exp</spanx> |
and <spanx style="verb">iat</spanx> |
Claims in the same way they are validated in ID Tokens. |
</t> |
<t> |
Verify that the Logout Token contains a |
<spanx style="verb">logout_only</spanx> Claim |
with the value <spanx style="verb">true</spanx>. |
Verify that the Logout Token contains an |
<spanx style="verb">events</spanx> Claim |
whose value is an array of strings, |
the first of which is |
<spanx style="verb">http://schemas.openid.net/event/backchannel-logout</spanx>. |
</t> |
<t> |
Verify that the Logout Token does not contain a |
|
<section anchor="IANA" title="IANA Considerations"> |
|
<section anchor="ClaimsRegistration" title="JSON Web Token Claims Registration"> |
<t> |
This specification registers the following Claim in the IANA |
"JSON Web Token Claims" registry <xref target="IANA.JWT.Claims"/> |
established by <xref target="JWT"/>. |
</t> |
|
<section anchor='ClaimsContents' title='Registry Contents'> |
<t> <?rfc subcompact="yes"?> |
<list style='symbols'> |
<t> |
Claim Name: <spanx style="verb">logout_only</spanx> |
</t> |
<t> |
Claim Description: Logout Only |
</t> |
<t> |
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net |
</t> |
<t> |
Specification Document(s): <xref target="LogoutToken"/> of this specification |
</t> |
</list> |
</t> |
</section> |
<?rfc subcompact="no"?> |
</section> |
|
<section anchor="DynRegRegistration" title="OAuth Dynamic Client Registration Metadata Registration"> |
<t> |
This specification registers the following client metadata definitions |
<organization abbrev="Microsoft">Microsoft</organization> |
</author> |
|
<date day="19" month="February" year="2016" /> |
<date day="23" month="August" year="2016" /> |
</front> |
</reference> |
|
<organization abbrev="Illumila">Illumila</organization> |
</author> |
|
<date day="19" month="February" year="2016" /> |
<date day="23" month="August" year="2016" /> |
</front> |
</reference> |
|
|
<references title="Informative References"> |
<?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7591"?> |
|
<?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.draft-hunt-idevent-token-03.xml" ?> |
</references> |
|
<section anchor="Acknowledgements" title="Acknowledgements"> |
<t>[[ To be removed from the final specification ]]</t> |
|
<t> |
-03 |
<list style="symbols"> |
<t> |
Changed from using a <spanx style="verb">logout_only</spanx> claim |
to using a logout event in the Logout Token. |
The Logout Token is compatible with |
<xref target="I-D.hunt-idevent-token">Security Event Token (SET)</xref> draft -03. |
</t> |
</list> |
</t> |
|
<t> |
-02 |
<list style="symbols"> |
<t> |