[Openid-specs-ab] Frontchannel logout: logging out when no iss is provided
Tangui Le Pense
tangui.lepense at mail.ru
Sat Oct 31 10:15:58 UTC 2020
I’m a bit late to the party, so sorry if these points have already been
discussed.
I’m currently implementing frontchannel logout
(https://openid.net/specs/openid-connect-frontchannel-1_0-04.html) in an
RP and in case `iss` (and `sid`) is not provided when the OP hits the
frontchannel logout URI, I was wondering:
- can’t any site open this URI in a iframe and trigger logout? A site
periodically refreshing such a malicious iframe would result in kind of
a DOS attack. If the RP is not capable of temporarily saving form data,
it could be even more annoying for the user experiencing data loss.
Sure, if it that happens, the RP will redirect to the OP which will
probably seamlessly redirect back to the RP with an new ID token. But
this is not documented as a security risk or anywhere else, which is why
I’m wondering if I’ve just missed something here
- if the RP can have several sessions opened from different OPs, how can
the RP know which OP to logout from? For now I’m sticking to a «kill all
sessions» approach, but it’s not satisfying
Best,
--
Tangui
More information about the Openid-specs-ab
mailing list