Re: [OAUTH-WG] What Does Logout Mean?
Bill Burke <bburke@redhat.com> Wed, 28 March 2018 15:18 UTC
Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C631201FA for <oauth@ietfa.amsl.com>; Wed, 28 Mar 2018 08:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hXs7EdDOnAe4 for <oauth@ietfa.amsl.com>; Wed, 28 Mar 2018 08:18:37 -0700 (PDT)
Received: from mail-vk0-f49.google.com (mail-vk0-f49.google.com [209.85.213.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29FB91273B1 for <oauth@ietf.org>; Wed, 28 Mar 2018 08:18:35 -0700 (PDT)
Received: by mail-vk0-f49.google.com with SMTP id v205so137646vkv.13 for <oauth@ietf.org>; Wed, 28 Mar 2018 08:18:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Cgl6rtoCHSyaxXsQyGumFfSrMnJJtU6syI4VGgvXio4=; b=La5fwuItMvU9l6r9jhTbxXEWLmvYIYS/5zdWSVbwjz4ZM7Y4yh7bBrRi47Cf8Xvaow 982pWgDj6F57mtKYgE2lroBI/NosQdbWxTSkmiJYB5vK01B4YlNeLIine9Ej3hDDyuc3 oj3yWpoYMVWHZHNY7MhjaOstpk2S4imaqUCqJ+N00E8igjEDlJUsCdUvpdlkJl3cDQvF FvgBo1xoyrafpS6rZO65Kkz3gw02WcgDOXCf3iGTBcdYlWTelKyNCCnp4VLlasiKjbuL UqQfF9LexNgz5vwOyJpAg/ca2urz+4nJMZZShnUGq/fPTXMH6W27JRij+tRXAdg0BcG+ m1Wg==
X-Gm-Message-State: AElRT7GTe7pnm2LvD1SU8pjiTYPMMYiHJotexpztgHsoBt71TJTX89lp Pi3C9M13r/RBpvk49MBXRI789lqHqCaonxt8xHxvzg==
X-Google-Smtp-Source: AIpwx49FMN1jklcdsJTWIQokUrHN/N3vYrvbKAOPDUoGj6OvGfo65iOGws6G6l+2vuTyBlKbuOYTO38fWsDaPEJ2GmI=
X-Received: by 10.31.181.141 with SMTP id e135mr2575541vkf.186.1522250314109; Wed, 28 Mar 2018 08:18:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.13.199 with HTTP; Wed, 28 Mar 2018 08:18:33 -0700 (PDT)
In-Reply-To: <DM5PR00MB02932B889807DF883C006512F5A30@DM5PR00MB0293.namprd00.prod.outlook.com>
References: <DM5PR00MB02932B889807DF883C006512F5A30@DM5PR00MB0293.namprd00.prod.outlook.com>
From: Bill Burke <bburke@redhat.com>
Date: Wed, 28 Mar 2018 11:18:33 -0400
Message-ID: <CABRXCmykJMcy-PdapRURd7YuZxfMbD9dHkf89AKxObM_2bAqKQ@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>, Roberto Carbone <carbone@fbk.eu>, Nat Sakimura <nat@sakimura.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KKviOUAHQhcR7wmjVDW99U_Otaw>
Subject: Re: [OAUTH-WG] What Does Logout Mean?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 15:18:40 -0000
The biggest problem for us [1] is backchannel logout and we had to add a lot of proprietary protocols on top of OIDC's backchannel logout protocol. Specifically for "traditional" non-Javascript applications that have multiple endpoints behind a load balancer. You are really at the mercy of the application frameworks and infrastructure used to secure and cluster the application. If the framework has no way of invalidating a session across the cluster, then you're forced to register each endpoint and have the OP make a logout request to each of those endpoints. Even if the framework has a way to invalidate a session across a cluster, the the Session ID is owned and asserted by the OP. This means that the application framework has to have a way to associate the OP's Session ID with a local session. If there's no way to do this cross cluster, then you're often forced to fallback to registering each endpoint and the OP making individual backchannel logout requests to each RP endpoint. >From a product point of view, the only viable solution is to front apps with a security proxy. Otherwise you're resolving the problem for each and every application framework you'd provide an adapter/library for. [1] https://keycloak.org On Wed, Mar 28, 2018 at 9:53 AM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Digital identity systems almost universally support end-users logging into > applications and many also support logging out of them. But while login is > reasonable well understood, there are many different kinds of semantics for > “logout” in different use cases and a wide variety of mechanisms for > effecting logouts. > > > > I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth > Security Workshop in Trento, Italy, which was held the week before IETF 101, > to explore this topic. The session was intentionally a highly interactive > conversation, gathering information from the experts at the workshop to > expand our collective understanding of the topic. Brock Allen – a > practicing application security architect (and MVP for ASP.NET/IIS) – > significantly contributed to the materials used to seed the discussion. And > Nat Sakimura took detailed notes to record what we learned during the > discussion. > > > > Feedback on the discussion was uniformly positive. It seemed that all the > participants learned things about logout use cases, mechanisms, and > limitations that they previously hadn’t previously considered. > > > > Materials related to the session are: > > Presentation used to bootstrap the discussions (pptx) (pdf) > Notes from the session > Workshop submission (pdf) > OpenID Connect issue “Create a document explaining "single logout" > semantics” > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=1804 and as > @selfissued. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Bill Burke Red Hat
- [OAUTH-WG] What Does Logout Mean? Mike Jones
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? David Waite
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Phil Hunt