[Openid-specs-ab] post_logout_redirect_uri and NOT signing out of the OP

Thomas Broyer t.broyer at gmail.com
Fri Aug 22 10:37:18 UTC 2014

Hi all,

The OpenID Connect Session Management draft is not clear on one point: what
happens if the user doesn't want to sign out of the OP (i.e. is OK with
just signing out of the RP), should the OP redirect to the
post_logout_redirect_uri or not?
My understanding is that post_logout_redirect_uri is only to be used when
the user signs out of the OP, and if he doesn't then the OP redirects him
to whatever URL he wants (the OP's home page for instance) or just
instructs the user to close the window/tab or move away to anywhere he


BTW, how are you considering revocation of the tokens issued by the OP to
the RP identified by the id_token_hint? Do you think it's the OP's role to
revoke them (when? when loading the page? that could probably lead to
attacks if someone can steal an old IDToken and signing out another user if
he can make that user load the page; with an explicit "only sign me out of
the RP" action? that could lead to tokens not being revoked if the user
leaves the page without clicking), the RP's role (using a token revocation
endpoint), or maybe both (just to be sure).
Similar question if the id_token_hint doesn't match the logged-in user (and
it's the OP's role to revoke the token): I suppose you discussed the
various choices an OP would have; in your opinion, would it rather revoke
the tokens anyway or not? (treating an mismatching id_token_hint as if the
id_token_hint was missing; this is what I'm currently doing)

Thomas Broyer
/tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140822/6346fd4d/attachment.html>

More information about the Openid-specs-ab mailing list