[Openid-specs-ab] Possible state parameter for RP-initiated logout

John Bradley ve7jtb at ve7jtb.com
Wed Jul 2 14:17:55 UTC 2014


I think the proposal was to re-use the session_state parameter that the IdP sets in the initial response and is subsequently used by the client in session management API calls to prevent third parties from making API calls and leaking info.  

That would be completely different from RP state sent as part of the logout request.   

I think two things are being confused into the "state" conversation.

John B.

On Jul 1, 2014, at 8:35 AM, Thomas Broyer <t.broyer at gmail.com> wrote:

> That makes sense. Particularly given that all post_logout_redirect_uri should be pre-registered and are compared byte-for-byte, leaving no place to, e.g., add query-string arguments to customize the behavior upon redirection. So yes, there should be a 'state' parameter.
> 
> I'm going to add it to our implementation ASAP.
> 
> 
> On Tue, Jul 1, 2014 at 2:31 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Some Microsoft product people have requested an optional “state” parameter for RP-initiated logout requests.  Like the OAuth “state” parameter this would be passed to the end_session_endpoint as an optional query parameter, and if present, would be passed back with the same value to the post_logout_redirect_uri endpoint.
> 
>  
> 
> What do people think of this proposal?
> 
>  
> 
> RP-initiated logout is defined at http://openid.net/specs/openid-connect-session-1_0.html#RPLogout.
> 
>  
> 
>                                                                 -- Mike
> 
>  
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> 
> 
> 
> -- 
> Thomas Broyer
> /tɔ.ma.bʁwa.je/
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140702/79af187c/attachment.html>


More information about the Openid-specs-ab mailing list