Re: [OAUTH-WG] What Does Logout Mean?

"Richard Backman, Annabelle" <> Wed, 28 March 2018 17:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 107291270B4 for <>; Wed, 28 Mar 2018 10:40:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id elQu8HHz_sIK for <>; Wed, 28 Mar 2018 10:40:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BE39E126DED for <>; Wed, 28 Mar 2018 10:40:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=amazon201209; t=1522258850; x=1553794850; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=3N3alRpH8CvfWNLjoKkWyEE6GM+kOa5iI2c80KbPw4g=; b=f5nV5aqJlx1WjRqMmdoWLsXjzbmMxpzufsnlXDj/B+2mr0ZL4/NHLBwu jLQMLtL6OG0xBuwEM7veEc+X/m1ECH5Itavn5n4BkREa7OTPrdlbKYXot eIcmcHXH+8i+VJpG0Sx+d+TcvT5/o+IkJRVzlIDqkueJVOVjy2ok//Ozp Q=;
X-IronPort-AV: E=Sophos;i="5.48,372,1517875200"; d="scan'208,217";a="731608085"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 28 Mar 2018 17:40:48 +0000
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id w2SHekN4079427 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 28 Mar 2018 17:40:48 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Wed, 28 Mar 2018 17:40:47 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Wed, 28 Mar 2018 17:40:47 +0000
Received: from ([]) by ([]) with mapi id 15.00.1236.000; Wed, 28 Mar 2018 17:40:47 +0000
From: "Richard Backman, Annabelle" <>
To: Bill Burke <>, Mike Jones <>
CC: Roberto Carbone <>, "" <>, Nat Sakimura <>
Thread-Topic: [OAUTH-WG] What Does Logout Mean?
Thread-Index: AdPFuZ82AUZiFFvRRIWVC98G86INvgA7mmyA//+yZIA=
Date: Wed, 28 Mar 2018 17:40:47 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_9A072F0C96A04F5C8FD076110AA2FA3Eamazoncom_"
MIME-Version: 1.0
Precedence: Bulk
Archived-At: <>
Subject: Re: [OAUTH-WG] What Does Logout Mean?
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Mar 2018 17:40:54 -0000

I'm reminded of this session from IIW 21<>. ☺ I look forward to reading the document distilling the various competing use cases and requirements into some semblance of sanity.

> If the framework has no way of invalidating a session across the cluster…

Is this a common deficiency in application frameworks? It seems to me that much of the value of a server-side session record is lost if its state isn’t synchronized across the fleet.


Annabelle Richard Backman

Amazon – Identity Services

On 3/28/18, 8:19 AM, "OAuth on behalf of Bill Burke" < on behalf of> wrote:

    The biggest problem for us [1] is backchannel logout and we had to add

    a lot of proprietary protocols on top of OIDC's backchannel logout

    protocol.  Specifically for "traditional" non-Javascript applications

    that have multiple endpoints behind a load balancer.   You are really

    at the mercy of the application frameworks and infrastructure used to

    secure and cluster the application.   If the framework has no way of

    invalidating a session across the cluster, then you're forced to

    register each endpoint and have the OP make a logout request to each

    of those endpoints.  Even if the framework has a way to invalidate a

    session across a cluster, the the Session ID is owned and asserted by

    the OP.  This means that the application framework has to have a way

    to associate the OP's Session ID with a local session.  If there's no

    way to do this cross cluster, then you're often forced to fallback to

    registering each endpoint and the OP making individual backchannel

    logout requests to each RP endpoint.

    >From a product point of view, the only viable solution is to front

    apps with a security proxy.  Otherwise you're resolving the problem

    for each and every application framework you'd provide an

    adapter/library for.


    On Wed, Mar 28, 2018 at 9:53 AM, Mike Jones <> wrote:

    > Digital identity systems almost universally support end-users logging into

    > applications and many also support logging out of them.  But while login is

    > reasonable well understood, there are many different kinds of semantics for

    > “logout” in different use cases and a wide variety of mechanisms for

    > effecting logouts.




    > I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth

    > Security Workshop in Trento, Italy, which was held the week before IETF 101,

    > to explore this topic.  The session was intentionally a highly interactive

    > conversation, gathering information from the experts at the workshop to

    > expand our collective understanding of the topic.  Brock Allen – a

    > practicing application security architect (and MVP for ASP.NET/IIS) –

    > significantly contributed to the materials used to seed the discussion.  And

    > Nat Sakimura took detailed notes to record what we learned during the

    > discussion.




    > Feedback on the discussion was uniformly positive.  It seemed that all the

    > participants learned things about logout use cases, mechanisms, and

    > limitations that they previously hadn’t previously considered.




    > Materials related to the session are:


    > Presentation used to bootstrap the discussions (pptx) (pdf)

    > Notes from the session

    > Workshop submission (pdf)

    > OpenID Connect issue “Create a document explaining "single logout"

    > semantics”




    >                                                        -- Mike




    > P.S. This note was also posted at and as

    > @selfissued.



    > _______________________________________________

    > OAuth mailing list





    Bill Burke

    Red Hat


    OAuth mailing list