[Openid-specs-ab] post_logout_redirect_uri and NOT signing out of the OP
Michael.Jones at microsoft.com
Thu Aug 28 16:25:56 UTC 2014
If the user decides not to log out of the OP, it seems to me like it’s up to the OP what to do next. I agree with you that the post_logout_redirect_uri is intended to be used in the case when the user is logged out.
On your question about the id_token_hint not matching the logged in user, remember that there may be multiple signed in users. The intent is for the user identified in the id_token_hint to be logged out. If that user is already logged out, there’s nothing to do.
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Thomas Broyer
Sent: Thursday, August 28, 2014 9:10 AM
To: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] post_logout_redirect_uri and NOT signing out of the OP
Ping. It's been almost a week without answer already. Should I rather try the interop group?
Le 22 août 2014 12:37, "Thomas Broyer" <t.broyer at gmail.com<mailto:t.broyer at gmail.com>> a écrit :
The OpenID Connect Session Management draft is not clear on one point: what happens if the user doesn't want to sign out of the OP (i.e. is OK with just signing out of the RP), should the OP redirect to the post_logout_redirect_uri or not?
My understanding is that post_logout_redirect_uri is only to be used when the user signs out of the OP, and if he doesn't then the OP redirects him to whatever URL he wants (the OP's home page for instance) or just instructs the user to close the window/tab or move away to anywhere he wants.
BTW, how are you considering revocation of the tokens issued by the OP to the RP identified by the id_token_hint? Do you think it's the OP's role to revoke them (when? when loading the page? that could probably lead to attacks if someone can steal an old IDToken and signing out another user if he can make that user load the page; with an explicit "only sign me out of the RP" action? that could lead to tokens not being revoked if the user leaves the page without clicking), the RP's role (using a token revocation endpoint), or maybe both (just to be sure).
Similar question if the id_token_hint doesn't match the logged-in user (and it's the OP's role to revoke the token): I suppose you discussed the various choices an OP would have; in your opinion, would it rather revoke the tokens anyway or not? (treating an mismatching id_token_hint as if the id_token_hint was missing; this is what I'm currently doing)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab