IBM Security Verify


This portal will be removed

In IBM’s effort to continue to streamline and simplify navigation for our customers, this Ideas portal will be shut down on February 28, 2023. We would ask that you use the main IBM Ideas portal at https://ideas.ibm.com/ or the IBM Security-specific portal at https://ibmsecurity.ideas.ibm.com/ to review, vote for existing ideas, or add new ideas.

Support OIDC Session Management, Front-Channel Logout and Back-Channel Logout Specs

Background:

  • We have multiple applications (Relying Party - RP) which use IBM CI as their OP (OpenID Connect Provider)
  • The RPs are a mix of both Single Page Application as well as Full Stack Applications (i.e., both Web Server and App Server)
  • The RPs rely on the ‘prompt=none’ OP offering to provide a pseudo-single-sign-on since the RPs do not share a common session between each other.
    • This means that each RP obtains and manages its own ID, ACCESS and REFRESH Tokens

 

Scenario:

  1. User, with a fresh session, goes to RP A. User asks to log into RP A and is directed to OP via Auth Code Flow (with PKCE)
  2. RP A obtains ID, Access and Refresh tokens for the User and allows the User to perform X actions on the site.
  3. User finishes up on RP A and browses over to RP B.
  4. RP B leverages ‘prompt=none’ via Auth Code Flow.
  5. The OP sees that the User’s login session is still valid, it responds back with the requested tokens (e.g., ID Token)
  6. RP B allows the User to perform Y actions on the site
  7. The User finishes up and wishes to Logout [See below for questions regarding logout]

 

Without support of the OIDC Logout Flows mentioned above, User Single Logout implementations become one-off, hokey solutions. However, if the OIDC Specifications above were supported, we would be able to leverage a common Logout pattern.

 

These specifications are supported by a majority of the major Cloud Identity Provider offerings (e.g., Azure, AWS Cognito, etc...).

  • Guest
  • Feb 7 2020
  • Planned for future release
  • Guest commented
    11 Mar, 2020 02:45am

    While we identify the best approach for OIDC back-channel and front-channel logout, we will be implementing an alternative that allows for a session ID to be included in the JWT and introspection access token for customer-side management.

    We will keep this epic open in the long term to implement this later in this year or early 2021.

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.