[Openid-specs-ab] OpenID Connect Logout using HTTP GET

Thomas Broyer t.broyer at ltgt.net
Sun Feb 15 23:23:53 UTC 2015


On Sun Feb 15 2015 at 17:22:49 John Bradley <ve7jtb at ve7jtb.com> wrote:

> It might be used as a denial of service via xsrf.
>
> I originally wanted to make the id_token_hint required to prevent that
> sort of thing from working.
> That was softened to a RECOMMENDED in the Session Management spec.
>
> I suspect a compromise might be for the IdP to prompt the user if the
> request doesn’t contain a valid id_token_hint.
>

This is already recommended in the Security Considerations section, but
that's for the OpenID Connect Session Management spec:
https://openid.net/specs/openid-connect-session-1_0.html#Security
And the RP-Initiated Logout section already says the OP SHOULD  ask the
End-User anyway:
https://openid.net/specs/openid-connect-session-1_0.html#RPLogout

Actually, even with a valid id_token_hint you should IMO prompt the user.
id_token_hint aren't secrets, they leak in id_token_hint to the
authorization_endpoint and aren't generally revocable (I mean, in most
implementations I believe).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150215/940d7c52/attachment.html>


More information about the Openid-specs-ab mailing list