[Openid-specs-ab] OpenID Connect Logout using HTTP GET
t.broyer at ltgt.net
Sun Feb 15 18:29:41 UTC 2015
On Sun Feb 15 2015 at 17:08:50 Torsten Lodderstedt <torsten at lodderstedt.net>
> why do you consider this a risk?
<meta http-equiv=refresh content="5">
Now try logging in to https://rp while this page is loaded in another
window/tab (could even be a concurrent serving this in an ad, so it's even
harder to detect, even for a tech-savvy user).
If there was a way for the OP to prove to the RP that it's the one "making"
the request, then that "attack" couldn't be used.
> kind regards,
> Am 14.02.2015 um 10:05 schrieb Thomas Broyer:
> Isn't there a risk of an attacker logging a user out of a third-party
> (victim) site just by loading that logout_url? At a minimum the RP should
> check the request's origin or referrer but AFAIK this wouldn't be reliable
> with such cross-origin requests (at least for older browsers not sending an
> Origin header), but maybe the OP could compute some value based on a shared
> secret, or use a signed JWT, and pass it as a query string parameter to
> "authenticate" the request?
> Le sam. 14 févr. 2015 07:12, Mike Jones <Michael.Jones at microsoft.com> a
> écrit :
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab