[Openid-specs-ab] OpenID Connect Logout using HTTP GET

Torsten Lodderstedt torsten at lodderstedt.net
Sun Feb 15 16:08:45 UTC 2015


Hi,

why do you consider this a risk?

kind regards,
Torsten.

Am 14.02.2015 um 10:05 schrieb Thomas Broyer:
>
> Hi,
>
> Isn't there a risk of an attacker logging a user out of a third-party 
> (victim) site just by loading that logout_url? At a minimum the RP 
> should check the request's origin or referrer but AFAIK this wouldn't 
> be reliable with such cross-origin requests (at least for older 
> browsers not sending an Origin header), but maybe the OP could compute 
> some value based on a shared secret, or use a signed JWT, and pass it 
> as a query string parameter to "authenticate" the request?
>
> Le sam. 14 févr. 2015 07:12, Mike Jones <Michael.Jones at microsoft.com 
> <mailto:Michael.Jones at microsoft.com>> a écrit :
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150215/8bb9c0b6/attachment.html>


More information about the Openid-specs-ab mailing list