[Openid-specs-ab] OpenID Connect Logout using HTTP GET
t.broyer at ltgt.net
Sat Feb 14 09:05:08 UTC 2015
Isn't there a risk of an attacker logging a user out of a third-party
(victim) site just by loading that logout_url? At a minimum the RP should
check the request's origin or referrer but AFAIK this wouldn't be reliable
with such cross-origin requests (at least for older browsers not sending an
Origin header), but maybe the OP could compute some value based on a shared
secret, or use a signed JWT, and pass it as a query string parameter to
"authenticate" the request?
Le sam. 14 févr. 2015 07:12, Mike Jones <Michael.Jones at microsoft.com> a
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab