[Openid-specs-ab] Frontchannel logout: logging out when no iss is provided

Tangui Le Pense tangui.lepense at mail.ru
Fri Nov 6 15:43:00 UTC 2020

Vladimir, thanks for your response!
>My suggestion is to only act on iss & sid being present, because
>otherwise you can't really tell where the request is coming from. And
>there is no CSRF or user confirmation that can be invoked.
I’m just wondering if it should be considered as a potential security or usability issue and therefore be mentioned in the security consideration section of the specification or somewhere else.
>Front-channel logout is per definition unreliable. OPs that silently
>expire a user's session, for example, will have no way to notify the RP.
>The front-channel notification can only work when the end-user is at the
>OP and chooses to log out there, or the OP is open in some browser tab
>and the expiration happens.
Actually it reminds me of a previous logout draft which suggested the RP session lifetime could be based on the ID token expiration time. This seems to have been removed since, but as an implementer I couldn’t find any guidance in the specifications on 1) ID token validity duration (a few seconds, enough to open a session on the RP, or the intended duration of the user’s session?) 2) RP session lifetime after «opening» an authenticated session upon ID token validation (1 hour? 2 hours? session cookie?). But I might have missed something and this would be a topic for another thread probably :)
>> - if the RP can have several sessions opened from different OPs, how
>> can the RP know which OP to logout from? For now I’m sticking to a
>> «kill all sessions» approach, but it’s not satisfying
>You can trying registering a per OP frontchannel_logout_uri. But again,
>insist on registering the RP for receiving the iss & sid.
Indeed, having frontchannel logout without iss & sid disabled by default seems the way to go.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20201106/d25af3de/attachment.html>

More information about the Openid-specs-ab mailing list