- edited description
Logout Token has wrong mandatory field (sub vs. jti)
The logout token currently requires sub. If sub is the only value provided, it will require stateful lookup to find out what ID Tokens are active which may not be possible or very expensive.
Concerns with the current draft:
-
sub based logout will have the effect of logging out all sessions on all devices/browsers associated with the user and is likely not expected.
-
if logout is not by session id, it will cause timing difficulties for the user that logs back in again or is forced to re-authenticate since a logout token might arrive after the user has established a new session.
-
the token may need to convey different types: universal, session/jti, device, application
-
the construction of the event will make it inconsistent with other id-tokens (in terms of the IETF proposal) which cannot use OP "sub" as their value - or worse, that other event types will start using sub as a URI to describe things other than user identifiers.
-
using sub in the top-level means that only the issuer of an ID Token can do a logout - which is not an appropriate limitation in a distributed deployment architecture. Validation of the event can be done by agreement of who acceptable issuers are as part of the subscription process.
Comments (7)
-
reporter -
reporter - edited description
-
reporter John pointed out that we don't want to use jti but rather session id.
-
reporter - edited description
-
- changed milestone to Implementer's Draft
- changed component to Logout
The current back-channel logout draft is compatible with draft-hunt-idevent-token-03.
-
-
assigned issue to
-
assigned issue to
-
- edited description
- changed status to resolved
- Log in to comment