Re: [OAUTH-WG] What Does Logout Mean?

Wed, 28 Mar 2018 11:25:58 -0700 


> On Mar 28, 2018, at 11:40 AM, Richard Backman, Annabelle 
> <richa...@amazon.com> wrote:
> 
> I'm reminded of this session from IIW 21 
> <http://iiw.idcommons.net/What_Does_%E2%80%9CLogOUT%E2%80%99_mean%3F>. ☺ I 
> look forward to reading the document distilling the various competing use 
> cases and requirements into some semblance of sanity.

I was just thinking how much I’d like to discuss this at an IIW. While 
developing the DTVA submission I wound up taking IMHO a different stance on 
sessions and logout, both technically and conceptually.

>  
> > If the framework has no way of invalidating a session across the cluster…
>  
> Is this a common deficiency in application frameworks? It seems to me that 
> much of the value of a server-side session record is lost if its state isn’t 
> synchronized across the fleet.

Most application frameworks are relatively simple - they initiate a session and 
maintain it locally. They don’t have a single session record that is maintained 
across all applications in a domain. Even frameworks with native support for 
federation protocols or form-based SSO wind up using this authentication to 
create an application-specific session.

Many also attempt to maintain the session information in an ideally 
integrity-protected, time limited, etc cookie, similar to an access token, 
rather than having a database within their application for synchronizing the 
session state. You wind up needing an additional state mechanism in this case 
to record invalidated sessions/tokens, which is typically not provided by 
frameworks.

This was one of the primary focuses of my DTVA submission - a REST API where 
you could submit the `sid` of a token in order to find out if it had been 
invalidated. If you were using some cookie-based storage mechanism, tossing the 
`sid` in let you make this API call after discarding the id_token - hopefully 
allowing for application developers to add checks for an invalidated session as 
part of their global pipeline.

-DW
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to