[Openid-specs-ab] OpenID Connect Logout using HTTP GET

John Bradley ve7jtb at ve7jtb.com
Sun Feb 15 19:34:22 UTC 2015


forcing a user to logout of a RP might also be used as part of a larger phishing attack, especially if the IdP returns the user to the bad guys landing page by redirecting to the post_logout_redirect_uri.
That redirect URI needs to be registered but without authenticating the RP via having a id_token for the user Bad RP A could log the user out of all sessions and redirect the user to itself, without the user currently being logged in.

Without the id_token all the IdP can do is log the user out of all sessions.  

Though when we start talking about IdP session management things get a bit fuzzy,  Many IdP will automatically log the user back in to a RP if they are still logged in to the IdP, the IdP may not have any real notion of state per RP connection.

John B.
On Feb 15, 2015, at 1:29 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
> against the RP or the user?
> Am 15.02.2015 um 17:22 schrieb John Bradley:
>> It might be used as a denial of service via xsrf.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150215/111c0301/attachment-0001.p7s>

More information about the Openid-specs-ab mailing list