[Openid-specs-ab] OpenID Connect Logout using HTTP GET

John Bradley ve7jtb at ve7jtb.com
Sun Feb 15 16:22:41 UTC 2015


It might be used as a denial of service via xsrf.

I originally wanted to make the id_token_hint required to prevent that sort of thing from working.  
That was softened to a RECOMMENDED in the Session Management spec. 

I suspect a compromise might be for the IdP to prompt the user if the request doesn’t contain a valid id_token_hint.

John B.

> On Feb 15, 2015, at 1:08 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
> 
> Hi,
> 
> why do you consider this a risk? 
> 
> kind regards,
> Torsten.
> 
> Am 14.02.2015 um 10:05 schrieb Thomas Broyer:
>> Hi,
>> 
>> Isn't there a risk of an attacker logging a user out of a third-party (victim) site just by loading that logout_url? At a minimum the RP should check the request's origin or referrer but AFAIK this wouldn't be reliable with such cross-origin requests (at least for older browsers not sending an Origin header), but maybe the OP could compute some value based on a shared secret, or use a signed JWT, and pass it as a query string parameter to "authenticate" the request?
>> Le sam. 14 févr. 2015 07:12, Mike Jones <Michael.Jones at microsoft.com <mailto:Michael.Jones at microsoft.com>> a écrit :
>> 
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150215/6d58c4ce/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150215/6d58c4ce/attachment.p7s>


More information about the Openid-specs-ab mailing list