[mitreid-connect] Session Management

[Justin Richer]

Hi,

Sorry, I thought for sure I had responded to this. At the moment, there 
are no concrete plans to implement the session management specification 
before it finalizes. There hasn't been demand for it (yet) and there 
aren't many implementations of it to go off of. Even Google, who wrote 
the original spec, has diverged from the current version in their own 
implementation.

Revoking all tokens for a user wouldn't really enable single logout. 
Each RP you're signing in to isn't going to be going through an 
authentication step with every page load, it's more likely going to have 
its own local session with the user. This session will continue whether 
or not the ID Token and Access Token are still valid.

  -- Justin

On 6/2/2014 9:36 AM, Christian Metzler wrote:
> Is this Mailing List up to date? Or is there a different way to get answers to my questions on MitreID Connect?
>
> Am 19.05.2014 um 11:04 schrieb Christian Metzler <Christian.Metzler at abas.de>:
>
>> Hi,
>>
>> I'm currently evaluating the MitreID Connect implentation. I wonder if
>> there are plans to implement the Session Management specification
>> according to http://openid.net/specs/openid-connect-session-1_0.html
>>
>> In addition I would be interested if it is possible to revoke all tokens
>> for a specific user session programatically. This would enable a single
>> logout. My idea is to specify a new scope (similar to offline_access)
>> called online_access which specifies, that a client only can get new
>> access tokens as long as the session is alive.
>>
>> Regards,
>>
>> Christian
>> _______________________________________________
>> mitreid-connect mailing list
>> mitreid-connect at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>>
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect