Re: [OAUTH-WG] What Does Logout Mean?
"Richard Backman, Annabelle" <richanna@amazon.com> Wed, 28 March 2018 17:40 UTC
Return-Path: <prvs=61874c199=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 107291270B4 for <oauth@ietfa.amsl.com>; Wed, 28 Mar 2018 10:40:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id elQu8HHz_sIK for <oauth@ietfa.amsl.com>; Wed, 28 Mar 2018 10:40:50 -0700 (PDT)
Received: from smtp-fw-9101.amazon.com (smtp-fw-9101.amazon.com [207.171.184.25]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE39E126DED for <oauth@ietf.org>; Wed, 28 Mar 2018 10:40:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1522258850; x=1553794850; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=3N3alRpH8CvfWNLjoKkWyEE6GM+kOa5iI2c80KbPw4g=; b=f5nV5aqJlx1WjRqMmdoWLsXjzbmMxpzufsnlXDj/B+2mr0ZL4/NHLBwu jLQMLtL6OG0xBuwEM7veEc+X/m1ECH5Itavn5n4BkREa7OTPrdlbKYXot eIcmcHXH+8i+VJpG0Sx+d+TcvT5/o+IkJRVzlIDqkueJVOVjy2ok//Ozp Q=;
X-IronPort-AV: E=Sophos;i="5.48,372,1517875200"; d="scan'208,217";a="731608085"
Received: from sea3-co-svc-lb6-vlan3.sea.amazon.com (HELO email-inbound-relay-2a-69849ee2.us-west-2.amazon.com) ([10.47.22.38]) by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 28 Mar 2018 17:40:48 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-2a-69849ee2.us-west-2.amazon.com (8.14.7/8.14.7) with ESMTP id w2SHekN4079427 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 28 Mar 2018 17:40:48 GMT
Received: from EX13D11UWC001.ant.amazon.com (10.43.162.151) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Wed, 28 Mar 2018 17:40:47 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC001.ant.amazon.com (10.43.162.151) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Wed, 28 Mar 2018 17:40:47 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1236.000; Wed, 28 Mar 2018 17:40:47 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Bill Burke <bburke@redhat.com>, Mike Jones <Michael.Jones@microsoft.com>
CC: Roberto Carbone <carbone@fbk.eu>, "oauth@ietf.org" <oauth@ietf.org>, Nat Sakimura <nat@sakimura.org>
Thread-Topic: [OAUTH-WG] What Does Logout Mean?
Thread-Index: AdPFuZ82AUZiFFvRRIWVC98G86INvgA7mmyA//+yZIA=
Date: Wed, 28 Mar 2018 17:40:47 +0000
Message-ID: <9A072F0C-96A0-4F5C-8FD0-76110AA2FA3E@amazon.com>
References: <DM5PR00MB02932B889807DF883C006512F5A30@DM5PR00MB0293.namprd00.prod.outlook.com> <CABRXCmykJMcy-PdapRURd7YuZxfMbD9dHkf89AKxObM_2bAqKQ@mail.gmail.com>
In-Reply-To: <CABRXCmykJMcy-PdapRURd7YuZxfMbD9dHkf89AKxObM_2bAqKQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.160.20]
Content-Type: multipart/alternative; boundary="_000_9A072F0C96A04F5C8FD076110AA2FA3Eamazoncom_"
MIME-Version: 1.0
Precedence: Bulk
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Wt6MUzoLdySMwDra5txZp2mD5Es>
Subject: Re: [OAUTH-WG] What Does Logout Mean?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 17:40:54 -0000
I'm reminded of this session from IIW 21<http://iiw.idcommons.net/What_Does_%E2%80%9CLogOUT%E2%80%99_mean%3F>. ☺ I look forward to reading the document distilling the various competing use cases and requirements into some semblance of sanity. > If the framework has no way of invalidating a session across the cluster… Is this a common deficiency in application frameworks? It seems to me that much of the value of a server-side session record is lost if its state isn’t synchronized across the fleet. -- Annabelle Richard Backman Amazon – Identity Services On 3/28/18, 8:19 AM, "OAuth on behalf of Bill Burke" <oauth-bounces@ietf.org on behalf of bburke@redhat.com> wrote: The biggest problem for us [1] is backchannel logout and we had to add a lot of proprietary protocols on top of OIDC's backchannel logout protocol. Specifically for "traditional" non-Javascript applications that have multiple endpoints behind a load balancer. You are really at the mercy of the application frameworks and infrastructure used to secure and cluster the application. If the framework has no way of invalidating a session across the cluster, then you're forced to register each endpoint and have the OP make a logout request to each of those endpoints. Even if the framework has a way to invalidate a session across a cluster, the the Session ID is owned and asserted by the OP. This means that the application framework has to have a way to associate the OP's Session ID with a local session. If there's no way to do this cross cluster, then you're often forced to fallback to registering each endpoint and the OP making individual backchannel logout requests to each RP endpoint. >From a product point of view, the only viable solution is to front apps with a security proxy. Otherwise you're resolving the problem for each and every application framework you'd provide an adapter/library for. [1] https://keycloak.org On Wed, Mar 28, 2018 at 9:53 AM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Digital identity systems almost universally support end-users logging into > applications and many also support logging out of them. But while login is > reasonable well understood, there are many different kinds of semantics for > “logout” in different use cases and a wide variety of mechanisms for > effecting logouts. > > > > I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth > Security Workshop in Trento, Italy, which was held the week before IETF 101, > to explore this topic. The session was intentionally a highly interactive > conversation, gathering information from the experts at the workshop to > expand our collective understanding of the topic. Brock Allen – a > practicing application security architect (and MVP for ASP.NET/IIS) – > significantly contributed to the materials used to seed the discussion. And > Nat Sakimura took detailed notes to record what we learned during the > discussion. > > > > Feedback on the discussion was uniformly positive. It seemed that all the > participants learned things about logout use cases, mechanisms, and > limitations that they previously hadn’t previously considered. > > > > Materials related to the session are: > > Presentation used to bootstrap the discussions (pptx) (pdf) > Notes from the session > Workshop submission (pdf) > OpenID Connect issue “Create a document explaining "single logout" > semantics” > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=1804 and as > @selfissued. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Bill Burke Red Hat _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] What Does Logout Mean? Mike Jones
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? David Waite
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Richard Backman, Annabelle
- Re: [OAUTH-WG] What Does Logout Mean? Bill Burke
- Re: [OAUTH-WG] What Does Logout Mean? Phil Hunt