[Openid-specs-ab] post_logout_redirect_uri and NOT signing out of the OP
t.broyer at gmail.com
Thu Aug 28 16:09:59 UTC 2014
Ping. It's been almost a week without answer already. Should I rather try
the interop group?
Le 22 août 2014 12:37, "Thomas Broyer" <t.broyer at gmail.com> a écrit :
> Hi all,
> The OpenID Connect Session Management draft is not clear on one point:
> what happens if the user doesn't want to sign out of the OP (i.e. is OK
> with just signing out of the RP), should the OP redirect to the
> post_logout_redirect_uri or not?
> My understanding is that post_logout_redirect_uri is only to be used when
> the user signs out of the OP, and if he doesn't then the OP redirects him
> to whatever URL he wants (the OP's home page for instance) or just
> instructs the user to close the window/tab or move away to anywhere he
> BTW, how are you considering revocation of the tokens issued by the OP to
> the RP identified by the id_token_hint? Do you think it's the OP's role to
> revoke them (when? when loading the page? that could probably lead to
> attacks if someone can steal an old IDToken and signing out another user if
> he can make that user load the page; with an explicit "only sign me out of
> the RP" action? that could lead to tokens not being revoked if the user
> leaves the page without clicking), the RP's role (using a token revocation
> endpoint), or maybe both (just to be sure).
> Similar question if the id_token_hint doesn't match the logged-in user
> (and it's the OP's role to revoke the token): I suppose you discussed the
> various choices an OP would have; in your opinion, would it rather revoke
> the tokens anyway or not? (treating an mismatching id_token_hint as if the
> id_token_hint was missing; this is what I'm currently doing)
> Thomas Broyer
> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab