Session - 5.1.1 Consider registration of session_signout_uri parameter
Issue #916
wontfix
In addition to what is specified in the current draft of the Session spec, our implementation provides server-side session sign-out notifications. If a client has registered a session sign-out URI with the OP, the OP will attempt to notify that client of any terminated sessions that the client is participating in, by calling that URI with an "id_token" query parameter whose value represents the session just ended. There is no guarantee of service on this call.
I'm looking for feedback from the group on this approach.
Comments (3)
-
-
Account Deleted
The notification I'm describing is server-to-server - back-channel. For those clients that are participating in the session, but don't have (or no longer have) a front-channel connection.
-
- changed status to wontfix
The group came up with the conclusion that we should close the case with wontfix for the current session management document but consider coming up with and extension spec to support this capability, as it has potential usefulness in some cases.
Todd agreed to it, so closing this one as wontfix.
- Log in to comment
Is the notification done server-to-server? or via the browser? If the RP tracks sessions on the server side, then a server-to-server call is sufficient (and simpler). If the RP only tracks sessions via cookies, then either the notification needs to come via the front channel or the RP needs to implement some sort of "expired sessions" cache and check it when validating the cookies.
Mostly curious as to what the current implementation does.
Thanks, George