These kinds of discussions are why i think the signal should just be token revoked. It is up to the receiver to infer meaning.
As soon as we talk in forma like commands(user is to be logged out), a standardized meaning becomes a problem. Receiver decision on action based on an issuer signal is the primary difference between a security event signal (a SET) and a security assertion (a JWT) or a command. Phil > On Mar 31, 2018, at 8:15 AM, Bill Burke <bbu...@redhat.com> wrote: > > On Fri, Mar 30, 2018 at 2:47 PM, Richard Backman, Annabelle > <richa...@amazon.com> wrote: >> It sounds like you're asking the OP to provide client-side session >> management as a service. There may be value in standardizing that, but I >> think it goes beyond what Backchannel Logout is intended to do. > > Sure, sort of. Though, we would have never implemented these > extensions if back channel logout didn't exist as a concept and > requirement. Its all in the sometimes ugly business of supporting > application developers who have a variety of deployment requirements > and restrictions. > > Bill > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
