Hi,
first of all I hope I ended up in the right list, if not, I’m happy to restate
the question in the appropriate one!
My question is regarding the OpenID Connect Back- and Front-Channel logout
(1.0) draft 4 / draft 2. We are currently executing these for all RPs,
regardless of the specific device / session of the user. Example: Assuming the
user has two distinct, active sessions on two separate end devices, RPs would
be notified regardless of the device that was used to perform the OIDC flow in
the first place, and that is now used by the user to requesting the logout.
However, one of our community members asked if that is correct, as he would
expect only those RPs to receive the logout request that have their ID Token
associated with the specific device session, not globally.
The spec doesn’t - as far as I can tell - give a clear answer to that. Seeing
that RPs may support the `sid` parameter, it could mean that this is up to the
RP to decide, not the OP.
It would be great to get clarification on this topic, and maybe provide
concrete guidelines in the official spec!
I am writing on behalf of the open source, OpenID Certified OpenID Connect
Provider ORY Hydra ( https://github.com/ory/hydra
<https://github.com/ory/hydra> ).
Thank you for your time,
Aeneas
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
