Re: [OAUTH-WG] What Does Logout Mean?

Bill Burke <> Wed, 28 March 2018 15:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 06C631201FA for <>; Wed, 28 Mar 2018 08:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hXs7EdDOnAe4 for <>; Wed, 28 Mar 2018 08:18:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 29FB91273B1 for <>; Wed, 28 Mar 2018 08:18:35 -0700 (PDT)
Received: by with SMTP id v205so137646vkv.13 for <>; Wed, 28 Mar 2018 08:18:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Cgl6rtoCHSyaxXsQyGumFfSrMnJJtU6syI4VGgvXio4=; b=La5fwuItMvU9l6r9jhTbxXEWLmvYIYS/5zdWSVbwjz4ZM7Y4yh7bBrRi47Cf8Xvaow 982pWgDj6F57mtKYgE2lroBI/NosQdbWxTSkmiJYB5vK01B4YlNeLIine9Ej3hDDyuc3 oj3yWpoYMVWHZHNY7MhjaOstpk2S4imaqUCqJ+N00E8igjEDlJUsCdUvpdlkJl3cDQvF FvgBo1xoyrafpS6rZO65Kkz3gw02WcgDOXCf3iGTBcdYlWTelKyNCCnp4VLlasiKjbuL UqQfF9LexNgz5vwOyJpAg/ca2urz+4nJMZZShnUGq/fPTXMH6W27JRij+tRXAdg0BcG+ m1Wg==
X-Gm-Message-State: AElRT7GTe7pnm2LvD1SU8pjiTYPMMYiHJotexpztgHsoBt71TJTX89lp Pi3C9M13r/RBpvk49MBXRI789lqHqCaonxt8xHxvzg==
X-Google-Smtp-Source: AIpwx49FMN1jklcdsJTWIQokUrHN/N3vYrvbKAOPDUoGj6OvGfo65iOGws6G6l+2vuTyBlKbuOYTO38fWsDaPEJ2GmI=
X-Received: by with SMTP id e135mr2575541vkf.186.1522250314109; Wed, 28 Mar 2018 08:18:34 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 28 Mar 2018 08:18:33 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Bill Burke <>
Date: Wed, 28 Mar 2018 11:18:33 -0400
Message-ID: <>
To: Mike Jones <>
Cc: "" <>, Roberto Carbone <>, Nat Sakimura <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [OAUTH-WG] What Does Logout Mean?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Mar 2018 15:18:40 -0000

The biggest problem for us [1] is backchannel logout and we had to add
a lot of proprietary protocols on top of OIDC's backchannel logout
protocol.  Specifically for "traditional" non-Javascript applications
that have multiple endpoints behind a load balancer.   You are really
at the mercy of the application frameworks and infrastructure used to
secure and cluster the application.   If the framework has no way of
invalidating a session across the cluster, then you're forced to
register each endpoint and have the OP make a logout request to each
of those endpoints.  Even if the framework has a way to invalidate a
session across a cluster, the the Session ID is owned and asserted by
the OP.  This means that the application framework has to have a way
to associate the OP's Session ID with a local session.  If there's no
way to do this cross cluster, then you're often forced to fallback to
registering each endpoint and the OP making individual backchannel
logout requests to each RP endpoint.

>From a product point of view, the only viable solution is to front
apps with a security proxy.  Otherwise you're resolving the problem
for each and every application framework you'd provide an
adapter/library for.


On Wed, Mar 28, 2018 at 9:53 AM, Mike Jones <> wrote:
> Digital identity systems almost universally support end-users logging into
> applications and many also support logging out of them.  But while login is
> reasonable well understood, there are many different kinds of semantics for
> “logout” in different use cases and a wide variety of mechanisms for
> effecting logouts.
> I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth
> Security Workshop in Trento, Italy, which was held the week before IETF 101,
> to explore this topic.  The session was intentionally a highly interactive
> conversation, gathering information from the experts at the workshop to
> expand our collective understanding of the topic.  Brock Allen – a
> practicing application security architect (and MVP for ASP.NET/IIS) –
> significantly contributed to the materials used to seed the discussion.  And
> Nat Sakimura took detailed notes to record what we learned during the
> discussion.
> Feedback on the discussion was uniformly positive.  It seemed that all the
> participants learned things about logout use cases, mechanisms, and
> limitations that they previously hadn’t previously considered.
> Materials related to the session are:
> Presentation used to bootstrap the discussions (pptx) (pdf)
> Notes from the session
> Workshop submission (pdf)
> OpenID Connect issue “Create a document explaining "single logout"
> semantics”
>                                                        -- Mike
> P.S. This note was also posted at and as
> @selfissued.
> _______________________________________________
> OAuth mailing list

Bill Burke
Red Hat