[Openid-specs-ab] post_logout_redirect_uri and NOT signing out of the OP
t.broyer at gmail.com
Thu Aug 28 21:11:54 UTC 2014
On Thu, Aug 28, 2014 at 6:25 PM, Mike Jones <Michael.Jones at microsoft.com>
> If the user decides not to log out of the OP, it seems to me like it’s
> up to the OP what to do next. I agree with you that the
> post_logout_redirect_uri is intended to be used in the case when the user
> is logged out.
I think the spec should be clarified on this topic.
> On your question about the id_token_hint not matching the logged in
> user, remember that there may be multiple signed in users. The intent is
> for the user identified in the id_token_hint to be logged out. If that
> user is already logged out, there’s nothing to do.
And so if the id_token_hint identifies user A and you're logged in as user
B, the OP would just redirect you to the post_logout_redirect_uri? (but
then the user is still logged in, as user B, so he could possibly be
automatically logged into the RP as user B; this is probably also a problem
if you're logged in with 2 accounts, log out from one of them –identified
in the id_token_hint– and are therefore redirected to the
post_logout_redirect_uri, which could then "inadvertently" log you in at
the RP with your other account that's still logged in at the OP)
Would you have any advice re. whether and when to revoke tokens?
We currently ask the RPs to call the revocation endpoint by themselves, and
don't revoke tokens at the end_session_endpoint (unless you log out of the
OP entirely of course); I wonder what behavior would be the more secure,
and the pros and cons of each approach.
(if the spec could give some guidance about that, that would be great!)
> -- Mike
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Thomas Broyer
> *Sent:* Thursday, August 28, 2014 9:10 AM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] post_logout_redirect_uri and NOT signing
> out of the OP
> Ping. It's been almost a week without answer already. Should I rather try
> the interop group?
> Le 22 août 2014 12:37, "Thomas Broyer" <t.broyer at gmail.com> a écrit :
> Hi all,
> The OpenID Connect Session Management draft is not clear on one point:
> what happens if the user doesn't want to sign out of the OP (i.e. is OK
> with just signing out of the RP), should the OP redirect to the
> post_logout_redirect_uri or not?
> My understanding is that post_logout_redirect_uri is only to be used when
> the user signs out of the OP, and if he doesn't then the OP redirects him
> to whatever URL he wants (the OP's home page for instance) or just
> instructs the user to close the window/tab or move away to anywhere he
> BTW, how are you considering revocation of the tokens issued by the OP to
> the RP identified by the id_token_hint? Do you think it's the OP's role to
> revoke them (when? when loading the page? that could probably lead to
> attacks if someone can steal an old IDToken and signing out another user if
> he can make that user load the page; with an explicit "only sign me out of
> the RP" action? that could lead to tokens not being revoked if the user
> leaves the page without clicking), the RP's role (using a token revocation
> endpoint), or maybe both (just to be sure).
> Similar question if the id_token_hint doesn't match the logged-in user
> (and it's the OP's role to revoke the token): I suppose you discussed the
> various choices an OP would have; in your opinion, would it rather revoke
> the tokens anyway or not? (treating an mismatching id_token_hint as if the
> id_token_hint was missing; this is what I'm currently doing)
> Thomas Broyer
> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab