Re: [OAUTH-WG] What Does Logout Mean?

"Richard Backman, Annabelle" <> Fri, 30 March 2018 16:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F486124F57 for <>; Fri, 30 Mar 2018 09:57:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XiTwvLY5wwEE for <>; Fri, 30 Mar 2018 09:57:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0AB181201FA for <>; Fri, 30 Mar 2018 09:57:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=amazon201209; t=1522429050; x=1553965050; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=N9FMF28u3d2hMMJuf6n97IqgzuoMHvNGLyb6KfgP3oQ=; b=mJ51/uHEdy8hIWbgk9lu8k94Vp+ch9M9lvQalNAirsOmNk170qCzGG8k SkgrqbDtFNtFQ2SyE7cOczzo6DqKalV64vJfZ1uOPXnLx1jFc9SmZBpnG hClxpRc18SrDa3WP2AmSICrKRw5uD3qqK0Si5lLmxkcIWC6QrfTDHsbWk o=;
X-IronPort-AV: E=Sophos;i="5.48,382,1517875200"; d="scan'208,217";a="714103869"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Mar 2018 16:57:28 +0000
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id w2UGvMP5034310 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 30 Mar 2018 16:57:27 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Fri, 30 Mar 2018 16:57:26 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Fri, 30 Mar 2018 16:57:26 +0000
Received: from ([]) by ([]) with mapi id 15.00.1236.000; Fri, 30 Mar 2018 16:57:26 +0000
From: "Richard Backman, Annabelle" <>
To: Bill Burke <>
CC: Mike Jones <>, Roberto Carbone <>, "" <>, Nat Sakimura <>
Thread-Topic: [OAUTH-WG] What Does Logout Mean?
Thread-Index: AdPFuZ82AUZiFFvRRIWVC98G86INvgA7mmyA//+yZICAAI4MgP//m6SAgACNGQCAAmHFgA==
Date: Fri, 30 Mar 2018 16:57:26 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_7B1638A7ADAD4AE18AF86E26853D32C7amazoncom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] What Does Logout Mean?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Mar 2018 16:57:33 -0000

> Then,isn't any backchannel logout specification more of a framework than an actual protocol?

Comments inline.

Annabelle Richard Backman
Amazon – Identity Services

From: Bill Burke <>
Date: Wednesday, March 28, 2018 at 2:35 PM
To: "Richard Backman, Annabelle" <>
Cc: Mike Jones <>, Roberto Carbone <>, "" <>, Nat Sakimura <>
Subject: Re: [OAUTH-WG] What Does Logout Mean?

On Wed, Mar 28, 2018 at 4:09 PM, Richard Backman, Annabelle <<>> wrote:
That makes somewhat more sense to me if we’re talking about applications with sticky sessions. Adding a session-specific logout URI introduces security concerns (e.g. how does the OP validate the URI) and only works if the RP can provide URIs that target individual hosts in their fleet. The “is this SID valid?” endpoint solution that David described doesn’t scale and depends on SID (which is OPTIONAL). Both shift the burden of state management onto the OP, which may not be in any better position to handle it.

FWIW, our OP implementation allows RPs to register their node specific logout endpoints at boot.  This request is authenticated via client authentication.  We also extended code to token request to transmit the local session id.  The OP stores this information.  Backchannel logout POSTS to each and every registered node and transmits a JWS signed by the OP containing the local session ids to invalidate.  That's been enough to cover all the weirdness out there so far.
What does “at boot” mean in the context of OpenID Connect? Do you mean that for every logout, the OP makes a Backchannel Logout request to each of the client’s node-specific logout endpoints? If that’s the case, why can’t the client make those calls themselves, from whichever host happens to receive the Backchannel Logout request?

Since the client only cares about node-local state, they should be able to maintain the mapping between OP session IDs and local session IDs on their side.
This seems like something that needs to be addressed in the client implementations rather than in the specification. Especially when we consider that there are implementation-specific questions lurking in the edge cases. (e.g. what happens when a user comes in with valid cookies, but no server-side session state?)

Then,isn't any backchannel logout specification more of a framework than an actual protocol?
It’s neither. To quote the abstract, it’s “…a logout mechanism….” I think it’s appropriate for the specification to focus on those aspects of the mechnanism that must be standardized in order to have interoperability between OPs and RPs. What we’re discussing falls outside of that, as sticky session implementations are themselves proprietary and the client can address this issue internally without impacting the interoperability of the logout mechanism.

Put another way, the requirement is to get the logout signal from OP to RP. What the RP does with it at that point is up to it.

Bill Burke
Red Hat