The biggest problem for us [1] is backchannel logout and we had to add a lot of proprietary protocols on top of OIDC's backchannel logout protocol. Specifically for "traditional" non-Javascript applications that have multiple endpoints behind a load balancer. You are really at the mercy of the application frameworks and infrastructure used to secure and cluster the application. If the framework has no way of invalidating a session across the cluster, then you're forced to register each endpoint and have the OP make a logout request to each of those endpoints. Even if the framework has a way to invalidate a session across a cluster, the the Session ID is owned and asserted by the OP. This means that the application framework has to have a way to associate the OP's Session ID with a local session. If there's no way to do this cross cluster, then you're often forced to fallback to registering each endpoint and the OP making individual backchannel logout requests to each RP endpoint.
>From a product point of view, the only viable solution is to front apps with a security proxy. Otherwise you're resolving the problem for each and every application framework you'd provide an adapter/library for. [1] https://keycloak.org On Wed, Mar 28, 2018 at 9:53 AM, Mike Jones <michael.jo...@microsoft.com> wrote: > Digital identity systems almost universally support end-users logging into > applications and many also support logging out of them. But while login is > reasonable well understood, there are many different kinds of semantics for > “logout” in different use cases and a wide variety of mechanisms for > effecting logouts. > > > > I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth > Security Workshop in Trento, Italy, which was held the week before IETF 101, > to explore this topic. The session was intentionally a highly interactive > conversation, gathering information from the experts at the workshop to > expand our collective understanding of the topic. Brock Allen – a > practicing application security architect (and MVP for ASP.NET/IIS) – > significantly contributed to the materials used to seed the discussion. And > Nat Sakimura took detailed notes to record what we learned during the > discussion. > > > > Feedback on the discussion was uniformly positive. It seemed that all the > participants learned things about logout use cases, mechanisms, and > limitations that they previously hadn’t previously considered. > > > > Materials related to the session are: > > Presentation used to bootstrap the discussions (pptx) (pdf) > Notes from the session > Workshop submission (pdf) > OpenID Connect issue “Create a document explaining "single logout" > semantics” > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=1804 and as > @selfissued. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Bill Burke Red Hat _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
