Back-Channel Logout 1.0 - draft 04
Section 1 "Another significant limitation of back-channel logout is that the RP's back-channel logout URI must be reachable from all the OPs used. This means, for instance, that the RP cannot be behind a firewall or NAT when used with public OPs." this confuses me. Is it not automatically true already for any RP supporting OpenID Connect?
Section 2.3 "OPs supporting back-channel logout need to keep track of the set of logged-in RPs" - I have no good idea what this means. I did not think that RPs were logged in. Could it mean "keep track of user logged in sessions at an RP"?
Comments (3)
-
-
The "keeping track" language should be applied to Front-Channel Logout as well, as others also noted.
-
- changed status to resolved
The "keeping track" language was added to RP-Initiated Logout in https://bitbucket.org/openid/connect/commits/847be44033ed41e8080b760f3c3a0302318d248f .
- Log in to comment
Re: para 1 -- not quite. With implicit flow, it could be behind a firewall or NAT.