[OAUTH-WG] What Does Logout Mean?
Mike Jones <Michael.Jones@microsoft.com> Wed, 28 March 2018 13:53 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A38A12711E for <oauth@ietfa.amsl.com>; Wed, 28 Mar 2018 06:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id coxnml5tvY2p for <oauth@ietfa.amsl.com>; Wed, 28 Mar 2018 06:53:20 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0120.outbound.protection.outlook.com [104.47.32.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 308ED1270AC for <oauth@ietf.org>; Wed, 28 Mar 2018 06:53:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=h26TSQCkbzVxqYpkgZJkS4pjm28rCDN7OHA8+c0oCSQ=; b=g4RalYdNUzqjXbe0CVR1tk/4f1Ir+k040YS1X3WkiGGkTgeAkfD0C7yy5EAVvBIrjHmjKEo5/k0wz6JZhY9Do5Vp9kPApXiebb2DZnkF/cUIaasxn4P1w4erHr4U8bZUFJ52VWE13JYukjbjkUW89plEN4Lg5Wwl2Fif4wSor1k=
Received: from DM5PR00MB0293.namprd00.prod.outlook.com (52.132.128.34) by DM5PR00MB0293.namprd00.prod.outlook.com (52.132.128.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.671.0; Wed, 28 Mar 2018 13:53:14 +0000
Received: from DM5PR00MB0293.namprd00.prod.outlook.com ([fe80::3967:3414:4dfc:8eae]) by DM5PR00MB0293.namprd00.prod.outlook.com ([fe80::3967:3414:4dfc:8eae%4]) with mapi id 15.20.0671.000; Wed, 28 Mar 2018 13:53:14 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
CC: "brockallen@gmail.com" <brockallen@gmail.com>, Nat Sakimura <nat@sakimura.org>, Roberto Carbone <carbone@fbk.eu>, Giada Sciarretta <giada.sciarretta@fbk.eu>
Thread-Topic: What Does Logout Mean?
Thread-Index: AdPFuZ82AUZiFFvRRIWVC98G86INvg==
Date: Wed, 28 Mar 2018 13:53:14 +0000
Message-ID: <DM5PR00MB02932B889807DF883C006512F5A30@DM5PR00MB0293.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [88.211.129.242]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR00MB0293; 7:kSrE3tqdsJ0MPojTFieFqmmFHNl+3J3HVKQ2Y6rpzY8QuG2g02h3X7hqM4UeQFRta7I3ioxE5FaUxCcsRYb3u/tbakXgHAjAEeqPVqbtmgpQkdb2cszildU/iG2wVsnMarjh1hfbeWA6/rFhatSlX8+6X1U0pz5MVMOQE5IePEsbsB7eln7Sa1M0gi0ta3K2djfXC85/kTulu2zskDhdzmGlyy03UFpJ1goKW2xHY8L+me1lpS5nIiw+VJ9WxY+y; 20:jOUJwUqhaz5I8xr9kWyAVTx6LmBlSTySt666OFCngsZX5R44EQqsTDgB/VXfl0QUaCB9sdsDjrWxocfuGwqAoA/HB5n0JIhgMewAap769JYYGEP3kYzhr2kLasxEk0LOUuMmP/stNfb6VNEIzC75jyEE2XgfiwweTjeLdnCp9aI=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 019a6891-7820-49f9-3efb-08d594b34070
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR00MB0293;
x-ms-traffictypediagnostic: DM5PR00MB0293:
x-microsoft-antispam-prvs: <DM5PR00MB0293EF4F7D95E616836EF90CF5A30@DM5PR00MB0293.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(278428928389397)(192374486261705)(31418570063057)(63843785518722)(21748063052155)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(3231221)(944501327)(52105095)(6055026)(61426038)(61427038)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123558120)(20161123562045)(6072148)(201708071742011); SRVR:DM5PR00MB0293; BCL:0; PCL:0; RULEID:; SRVR:DM5PR00MB0293;
x-forefront-prvs: 06259BA5A2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(376002)(366004)(39860400002)(39380400002)(209900001)(199004)(189003)(3280700002)(186003)(8990500004)(25786009)(2351001)(6346003)(478600001)(790700001)(99286004)(10090500001)(3660700001)(10290500003)(74316002)(106356001)(7736002)(5660300001)(6916009)(476003)(486005)(4326008)(486005)(7066003)(102836004)(59450400001)(3846002)(97736004)(5250100002)(7696005)(2501003)(26005)(6116002)(2900100001)(6506007)(606006)(14454004)(39060400002)(86362001)(3480700004)(316002)(66066001)(72206003)(54906003)(6436002)(53376002)(22452003)(8676002)(5630700001)(1730700003)(81166006)(81156014)(33656002)(105586002)(54896002)(9686003)(6306002)(8936002)(236005)(53936002)(68736007)(966005)(5640700003)(2906002)(55016002)(86612001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR00MB0293; H:DM5PR00MB0293.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-message-info: NnnJnaXhwSK5mtSdi7YzAclVgaFH/LoLoToASHX9tF441tze8nT7FtHQewiT9WBN2eR6IZgWPEjw8A9pzEtS7sX3cjhrTszi+PBaz5CQJcE1x+tWq/k392r9GyQL4gj0egkJZMWrydmTrfTBZBl7jWUU2v58heyzpIxOOSd6OTGiCEwEsWJUnUyCPbqm+EO1n2Fe0c3HxDUu1bFOyzzsDu6OnZJwqdhq2IEbcdT3Kca5bxR/C9sx/XRqgmVdsbHJuoGibKV0BaIcbVF+1Ndlh4nQI9CoshceBza5ac9ESIb4vaBU0PJk2vZAFO9NukMR+Syp35mwOZY8Ef31GxTT2A==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR00MB02932B889807DF883C006512F5A30DM5PR00MB0293namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 019a6891-7820-49f9-3efb-08d594b34070
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2018 13:53:14.2216 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR00MB0293
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7pBQbVxPPAMFNgqNaxrGZduzArQ>
Subject: [OAUTH-WG] What Does Logout Mean?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 13:53:24 -0000
Digital identity systems almost universally support end-users logging into applications and many also support logging out of them. But while login is reasonable well understood, there are many different kinds of semantics for "logout" in different use cases and a wide variety of mechanisms for effecting logouts. I led a discussion on the topic "What Does Logout Mean?" at the 2018 OAuth Security Workshop<http://st.fbk.eu/osw2018> in Trento, Italy, which was held the week before IETF 101<https://www.ietf.org/how/meetings/past/101/>, to explore this topic. The session was intentionally a highly interactive conversation, gathering information from the experts at the workshop to expand our collective understanding of the topic. Brock Allen<https://brockallen.com/about/> - a practicing application security architect (and MVP for ASP.NET/IIS) - significantly contributed to the materials used to seed the discussion. And Nat Sakimura<https://nat.sakimura.org/about-me/> took detailed notes to record what we learned during the discussion. Feedback on the discussion was uniformly positive. It seemed that all the participants learned things about logout use cases, mechanisms, and limitations that they previously hadn't previously considered. Materials related to the session are: * Presentation used to bootstrap the discussions (pptx<http://self-issued.info/presentations/What_Does_Logout_Mean_Presentation.pptx>) (pdf<http://self-issued.info/presentations/What_Does_Logout_Mean_Presentation.pdf>) * Notes from the session<https://bitbucket.org/openid/connect/wiki/What%20Does%20Logout%20Mean%3F> * Workshop submission (pdf<http://self-issued.info/papers/What_Does_Logout_Mean.pdf>) * OpenID Connect issue "Create a document explaining "single logout" semantics<https://bitbucket.org/openid/connect/issues/984/create-a-document-explaining-single-logout>" -- Mike P.S. This note was also posted at http://self-issued.info/?p=1804 and as @selfissued<https://twitter.com/selfissued>.
- [OAUTH-WG] What Does Logout Mean? Mike Jones
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? David Waite
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Phil Hunt