[Openid-specs-ab] OpenID Connect Logout using HTTP GET

Thomas Broyer t.broyer at ltgt.net
Sun Feb 15 18:29:41 UTC 2015


On Sun Feb 15 2015 at 17:08:50 Torsten Lodderstedt <torsten at lodderstedt.net>
wrote:

>  Hi,
>
> why do you consider this a risk?
>
>
<meta http-equiv=refresh content="5">
<img src=https://rp/logout_url">

Now try logging in to https://rp while this page is loaded in another
window/tab (could even be a concurrent serving this in an ad, so it's even
harder to detect, even for a tech-savvy user).

If there was a way for the OP to prove to the RP that it's the one "making"
the request, then that "attack" couldn't be used.



> kind regards,
> Torsten.
>
> Am 14.02.2015 um 10:05 schrieb Thomas Broyer:
>
> Hi,
>
> Isn't there a risk of an attacker logging a user out of a third-party
> (victim) site just by loading that logout_url? At a minimum the RP should
> check the request's origin or referrer but AFAIK this wouldn't be reliable
> with such cross-origin requests (at least for older browsers not sending an
> Origin header), but maybe the OP could compute some value based on a shared
> secret, or use a signed JWT, and pass it as a query string parameter to
> "authenticate" the request?
>
> Le sam. 14 févr. 2015 07:12, Mike Jones <Michael.Jones at microsoft.com> a
> écrit :
>
>
> _______________________________________________
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150215/819b9ac2/attachment.html>


More information about the Openid-specs-ab mailing list