[OpenID] OP-Initiated Logout without User Involvement

[Aeneas Rekkas]

Hi,

we ( https://github.com/ory/hydra ) are receiving use cases for an OP-Initiated that does not involve the user’s browser and cookies. A use case might be that we want to perform Back-Channel Logout when the user changes his/her password. Another example would be that a user is banned by an administrator which in turn should trigger OIDC Back-Channel Logout. Is there any guidance on how this should be designed/implemented? Maybe even with an API Spec?

Best

Aeneas

[Florian Forster]

Hi Aeneas

Below some questions/answers. Maybe I did not fully get your idea :-) 

...when the user changes his/her password.

> I think most times this happens, it is directly at the OP (or at least it's storage) so is this really a use-case for OP initiated Back-channel Logout? The OP can in this case decide by itself to cancel sessions and trigger RP's about this. Maybe you can elaborate in which setup you find this case.

...banned by an administrator which in turn should trigger OIDC Back-Channel Logout.

> Is the user banned from the RP or the OP? Because, if it is a Identity-Lifecycle thing, where the user is completely locked I find services like SCIM 2.0 the proper tool. After an account deactivation we could do the same as my answer above states.

Greetings Florian

Florian Forster H e a d   o f C A O S Phone:  +41 79 956 39 01 Web:      www.caos.ch

_______________________________________________
general mailing list
gen...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

[Florian Forster]

Me again

I think I took a wrong turn interpreting your email on my phone :-)

If I understand you correctly you search more or less this one

-> 

https://openid.net/specs/openid-connect-backchannel-1_0.html

Which basically defines a URL Endpoint within the RP where the OP can send a JWT. Is it in your use-case a problem for the OP to track the clients on which RP they did sign-in?

Greets

--

[Aeneas Rekkas]

Hi Florian,

thank you for the responses!

> I think most times this happens, it is directly at the OP (or at least it's storage) so is this really a use-case for OP initiated Back-channel Logout? The OP can in this case decide by itself to cancel sessions and trigger RP's about this. Maybe you can elaborate in which setup you find this case.

Depends on the implementation of the OP. For ORY Hydra or CoreOS Dex, which are more or less „OpenID OP Proxies“ this would not be at the OP directly, but instead at the IdP (the actual user database that implements signup, account reovery et al). Since OIDC does not specify anything regarding user registration and other basic flows I would assume that this is an intended operational model. For example when having an existing user system and wanting to add OIDC support. In that case the original user system would do the password change, and the „OIDC support“ would need to be notified of that change in order to trigger a logout, which in turn triggers OIDC Backchannel Logout. My question is if there’s any guidance (e.g. API wise or security wise „don’t do this and that!!!“) around that.

Hope this clarifies my question!

[Florian Forster]

I think I now understand your question.

So you are asking about the idp -> op (oidc facade) "trigger" and not about the op -> rp integration (OIDC Backchannel logout)[1], right?

I am not aware of a definition / standard for the idp -> op part, others might be :-)

Most systems I know use specific integrations corresponding to the idp capabilities, e.g with LDAP they tail the audit log for changes or have scheduled queries.

1: https://openid.net/specs/openid-connect-backchannel-1_0.html

Florian Forster H e a d   o f C A O S Phone:  +41 79 956 39 01 Web:      www.caos.ch

[Aeneas Rekkas]

Yup exactly! I think LDAP is a pretty good example for this flow. Because not everyone uses LDAP or has audit logs for that I was wondering if there’s any specification or guidance around that.

Thank you!

[Florian Forster]

Not that I know off the top of my head

Florian Forster H e a d   o f C A O S Phone:  +41 79 956 39 01 Web:      www.caos.ch