[Openid-specs-ab] Possible state parameter for RP-initiated logout

Justin Richer jricher at MIT.EDU
Tue Jul 1 12:28:52 UTC 2014

I'll caveat this by saying that we haven't implemented the session 
management spec at this time, and as such I do not have first hand 
experience with its workings.

That said, this proposal makes sense as it's a client-initiated series 
of redirects, and the "state" parameter acts as a kind of session key 
for that request series (when used properly at least) in OAuth. Also 
since it's in the scope of a single redirect communication, I don't 
think it's a burden for the IdP.

  -- Justin

On 6/30/2014 8:31 PM, Mike Jones wrote:
> Some Microsoft product people have requested an optional "state" 
> parameter for RP-initiated logout requests.  Like the OAuth "state" 
> parameter this would be passed to the end_session_endpoint as an 
> optional query parameter, and if present, would be passed back with 
> the same value to the post_logout_redirect_uri endpoint.
> What do people think of this proposal?
> RP-initiated logout is defined at 
> http://openid.net/specs/openid-connect-session-1_0.html#RPLogout.
> -- Mike
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140701/9a62485d/attachment.html>

More information about the Openid-specs-ab mailing list