Re: [OAUTH-WG] What Does Logout Mean?

"Richard Backman, Annabelle" <> Fri, 30 March 2018 18:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 534EF1273B1 for <>; Fri, 30 Mar 2018 11:48:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xkHBg7uWA0mp for <>; Fri, 30 Mar 2018 11:48:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B241A12711E for <>; Fri, 30 Mar 2018 11:48:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=amazon201209; t=1522435684; x=1553971684; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=N5vEIV5zY5haEUjhanWQXkAL2jBEBvTXrIznSrhopKo=; b=Un1ZBuH063+H7HyTRGhF5mciHYYmGik9ziTBcZ1P7Es74f+XHP6NdzBk Ur0d39xh/F5iEKCSqdn227mrwKts67sPJGVEkpzKYcjQMtIudspH6khQ5 gki9Zt9RHs6WhjWDddPVMQGh2Jrr7vHRK6ZrFIFuuCURJuqvUHhgKimau k=;
X-IronPort-AV: E=Sophos;i="5.48,382,1517875200"; d="scan'208";a="603968690"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Mar 2018 18:48:02 +0000
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id w2UIluIb049477 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 30 Mar 2018 18:48:00 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Fri, 30 Mar 2018 18:47:59 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Fri, 30 Mar 2018 18:47:59 +0000
Received: from ([]) by ([]) with mapi id 15.00.1236.000; Fri, 30 Mar 2018 18:47:59 +0000
From: "Richard Backman, Annabelle" <>
To: Bill Burke <>
CC: Mike Jones <>, Roberto Carbone <>, "" <>, Nat Sakimura <>
Thread-Topic: [OAUTH-WG] What Does Logout Mean?
Thread-Index: AdPFuZ82AUZiFFvRRIWVC98G86INvgA7mmyA//+yZICAAI4MgP//m6SAgACNGQCAAmHFgIAAgaKA//+dPwA=
Date: Fri, 30 Mar 2018 18:47:59 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Precedence: Bulk
Archived-At: <>
Subject: Re: [OAUTH-WG] What Does Logout Mean?
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Mar 2018 18:48:09 -0000

It sounds like you're asking the OP to provide client-side session management as a service. There may be value in standardizing that, but I think it goes beyond what Backchannel Logout is intended to do.

Annabelle Richard Backman
Amazon – Identity Services
On 3/30/18, 10:42 AM, "Bill Burke" <> wrote:

    On Fri, Mar 30, 2018 at 12:57 PM, Richard Backman, Annabelle
    <> wrote:
    > FWIW, our OP implementation allows RPs to register their node specific
    > logout endpoints at boot.  This request is authenticated via client
    > authentication.  We also extended code to token request to transmit the
    > local session id.  The OP stores this information.  Backchannel logout POSTS
    > to each and every registered node and transmits a JWS signed by the OP
    > containing the local session ids to invalidate.  That's been enough to cover
    > all the weirdness out there so far.
    > [richanna]
    > What does “at boot” mean in the context of OpenID Connect? Do you mean that
    > for every logout, the OP makes a Backchannel Logout request to each of the
    > client’s node-specific logout endpoints?
    Just in case....This is all for backchannel logouts which are out of
    band from the browser.
    Node boots up and registers with the Auth Server its logout endpoint.
    POST /authserver/node_registration
     As I mentioned earlier, the node doing code to token request will
    also pass its local session id so it can be associated with the Auth
    server's SID.  When an admin initiates a forced logout, a backchannel
    logout request is sent to each client's logout endpoint.  If the
    client has nodes that have registered, this request is duplicated to
    each node.
    > If that’s the case, why can’t the
    > client make those calls themselves, from whichever host happens to receive
    > the Backchannel Logout request?
    Your assuming that each node has knowledge of cluster topology which
    isn't neccesarily true.  Each additional proprietary extension we've
    made is optional.  Nodes can optionally register themselves.  Nodes
    can optionally send local session ids with the code to token request.
    > Since the client only cares about node-local state, they should be able to
    > maintain the mapping between OP session IDs and local session IDs on their
    > side.
    Considering a cluster of load balanced web applications that dont'
    have session replication and don't have knowledge of cluster topology.
    The only way for the Auth Server to perform backchannel logout is to
    send the same backchannel logout to each and every node.
    There's also the case where the nodes do support session replication,
    but don't have a way to get at topology or a way to store the
    association between the SID and application session id.  In this case
    you don't need node registration, but you do need a way to associate
    the SID with the local session id.
    As a IDP vendor, you have to support all these types of clients.
    Telling developers that they are just going to have to manage this
    themselves is not really an option if you want adoption.