IBM Security Verify

Shape the future of IBM Security Verify

We invite you to shape the future of IBM, including the product roadmap, by submitting ideas that matter to you the most.

Here's how it works:

Post your ideas

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Submit a private idea

If you have confidential information or customer data to share with your idea, then - DO NOT submit using the link below, instead - please open a private feature request.

And finally - if its an issue with expected behaviour, a product defect or a support need, open a Support Case

Support OIDC Session Management, Front-Channel Logout and Back-Channel Logout Specs

Background:

  • We have multiple applications (Relying Party - RP) which use IBM CI as their OP (OpenID Connect Provider)
  • The RPs are a mix of both Single Page Application as well as Full Stack Applications (i.e., both Web Server and App Server)
  • The RPs rely on the ‘prompt=none’ OP offering to provide a pseudo-single-sign-on since the RPs do not share a common session between each other.
    • This means that each RP obtains and manages its own ID, ACCESS and REFRESH Tokens

 

Scenario:

  1. User, with a fresh session, goes to RP A. User asks to log into RP A and is directed to OP via Auth Code Flow (with PKCE)
  2. RP A obtains ID, Access and Refresh tokens for the User and allows the User to perform X actions on the site.
  3. User finishes up on RP A and browses over to RP B.
  4. RP B leverages ‘prompt=none’ via Auth Code Flow.
  5. The OP sees that the User’s login session is still valid, it responds back with the requested tokens (e.g., ID Token)
  6. RP B allows the User to perform Y actions on the site
  7. The User finishes up and wishes to Logout [See below for questions regarding logout]

 

Without support of the OIDC Logout Flows mentioned above, User Single Logout implementations become one-off, hokey solutions. However, if the OIDC Specifications above were supported, we would be able to leverage a common Logout pattern.

 

These specifications are supported by a majority of the major Cloud Identity Provider offerings (e.g., Azure, AWS Cognito, etc...).

  • Guest
  • Feb 7 2020
  • Planned for future release
  • Guest commented
    11 Mar, 2020 02:45am

    While we identify the best approach for OIDC back-channel and front-channel logout, we will be implementing an alternative that allows for a session ID to be included in the JWT and introspection access token for customer-side management.

    We will keep this epic open in the long term to implement this later in this year or early 2021.

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.