[Openid-specs-ab] Possible state parameter for RP-initiated logout
jricher at MIT.EDU
Tue Jul 1 12:28:52 UTC 2014
I'll caveat this by saying that we haven't implemented the session
management spec at this time, and as such I do not have first hand
experience with its workings.
That said, this proposal makes sense as it's a client-initiated series
of redirects, and the "state" parameter acts as a kind of session key
for that request series (when used properly at least) in OAuth. Also
since it's in the scope of a single redirect communication, I don't
think it's a burden for the IdP.
On 6/30/2014 8:31 PM, Mike Jones wrote:
> Some Microsoft product people have requested an optional "state"
> parameter for RP-initiated logout requests. Like the OAuth "state"
> parameter this would be passed to the end_session_endpoint as an
> optional query parameter, and if present, would be passed back with
> the same value to the post_logout_redirect_uri endpoint.
> What do people think of this proposal?
> RP-initiated logout is defined at
> -- Mike
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab