Logout Token has wrong mandatory field (sub vs. jti)

Issue #1000 resolved
Phil Hunt created an issue

The logout token currently requires sub. If sub is the only value provided, it will require stateful lookup to find out what ID Tokens are active which may not be possible or very expensive.

Concerns with the current draft:

  • sub based logout will have the effect of logging out all sessions on all devices/browsers associated with the user and is likely not expected.

  • if logout is not by session id, it will cause timing difficulties for the user that logs back in again or is forced to re-authenticate since a logout token might arrive after the user has established a new session.

  • the token may need to convey different types: universal, session/jti, device, application

  • the construction of the event will make it inconsistent with other id-tokens (in terms of the IETF proposal) which cannot use OP "sub" as their value - or worse, that other event types will start using sub as a URI to describe things other than user identifiers.

  • using sub in the top-level means that only the issuer of an ID Token can do a logout - which is not an appropriate limitation in a distributed deployment architecture. Validation of the event can be done by agreement of who acceptable issuers are as part of the subscription process.

Comments (7)

  1. Log in to comment