[Openid-specs-ab] OpenID Connect Logout using HTTP GET

Thomas Broyer t.broyer at ltgt.net
Sat Feb 14 09:05:08 UTC 2015


Isn't there a risk of an attacker logging a user out of a third-party
(victim) site just by loading that logout_url? At a minimum the RP should
check the request's origin or referrer but AFAIK this wouldn't be reliable
with such cross-origin requests (at least for older browsers not sending an
Origin header), but maybe the OP could compute some value based on a shared
secret, or use a signed JWT, and pass it as a query string parameter to
"authenticate" the request?

Le sam. 14 févr. 2015 07:12, Mike Jones <Michael.Jones at microsoft.com> a
écrit :
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150214/f0bd7421/attachment.html>

More information about the Openid-specs-ab mailing list