New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Back-Channel Logout #70

Open
yuriyz opened this Issue Sep 10, 2015 · 6 comments

Comments

Projects
None yet
5 participants
@yuriyz
Contributor

yuriyz commented Sep 10, 2015

@yuriyz yuriyz self-assigned this Sep 10, 2015

@yurem

This comment has been minimized.

Contributor

yurem commented Sep 10, 2015

You know more in this area. Can you explain or give us example where we can use back channel logout. Can we just call https://server/oxauth/seam/resource/restv1/oxauth/end_session to end session?

@nynymike

This comment has been minimized.

Contributor

nynymike commented Sep 10, 2015

I think this method requires the RP to have an endpoint to receive a notification from the OP that a logout has occurred. Originally, Google was dead set against this. They can't support this because its too hard to remember all the clients that require a logout notification, and it would have a big network impact. However, I think that many enterprises have the requirement, and its was decided that OpenID Connect needed this if it was going to replace SAML.

One of the complications is : how will the OP handle the notification? Will they be sent in serial? If so, what happens if one of the notifications to an RP fails? Will the notification be resent? If so, how many times? This leads to a situation where there is no guarantee that the RP will actually receive the notification.

Should the OP test the endpoint on registration? Should it allow a client with a non-working callback to register?

Basically it raises many issues, so its important that the design is documented, and whatever our solution is, it makes it into the documentation.

@yurem

This comment has been minimized.

Contributor

yurem commented Sep 10, 2015

Also I see that RP should issue additional token to conform this draft spec. This require additional resources..
In oxTust we implemented something similar. We call end_session directly (without user browser) on oxTrust session destroy: https://github.com/GluuFederation/oxTrust/blob/master/server/src/main/java/org/gluu/oxtrust/service/AuthenticationSessionService.java#L39

@yuriyz

This comment has been minimized.

Contributor

yuriyz commented Sep 10, 2015

Ok, we have to differ 3 ways of logout:

  1. end session according to http://openid.net/specs/openid-connect-session-1_0.html#OPMetadata
  2. http based logout http://openid.net/specs/openid-connect-logout-1_0.html
  3. back channel logout http://openid.net/specs/openid-connect-backchannel-1_0.html

@yurem yes, end_session is enough for oxTrust, so we don't need to change anything there.

From spec:

end_session - URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. 

About back channel logout, to be honest I have to dig deeper to say more about pros&cons but at first glance it looks reasonable.

@yurem

This comment has been minimized.

Contributor

yurem commented Sep 11, 2015

@yuriyz , you paste right definition of end_session endpoint.
But our end_session endpoint implementation allows to call it in similar to back channel way.
RP can call directly OP end_session endpoint without user browser.
RP only need to store in session id_token once user login.

For me it's much easier now to use end_session than implement Draft 01 version of this spec. I believe final version or at least Draft v10 will be changed by 50% percent.

Let me sum up. I not offer to forget about this spec. We need to support more spec to make better server. I offer to wait for more stable spec version and use our end_session extension in similar to back channel way.

@willow9886 willow9886 added this to the CE 2.4.4 milestone Jan 13, 2016

@yurem yurem modified the milestones: CE 2.4.5, CE 2.4.4 Jul 14, 2016

@nynymike nynymike modified the milestones: CE 3.1.0, CE 3.0.0 Nov 29, 2016

@nynymike nynymike modified the milestones: 3.2.0, CE 3.1.0 Apr 7, 2017

@willow9886 willow9886 modified the milestones: 3.2.0, CE 3.2.0 Apr 10, 2017

@nynymike nynymike modified the milestones: CE 3.1.0, CE 3.2.0 Apr 29, 2017

@nynymike nynymike assigned worm333 and unassigned yuriyz May 11, 2017

@nynymike

This comment has been minimized.

Contributor

nynymike commented May 23, 2017

Here is an article from Vlad on back channel logout http://gluu.co/back-logout-vlad

@nynymike nynymike removed the High priority label Jun 26, 2017

@nynymike nynymike modified the milestones: CE 3.3.0, CE 3.1.0, CE 3.2.0 Aug 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment