[Openid-specs-ab] OpenID Connect Logout using HTTP GET

Mike Jones Michael.Jones at microsoft.com
Mon Feb 16 07:02:49 UTC 2015

I'm increasingly thinking that we should allow the OP to include the ID Token for the RP as a query parameter in the logout request.  I'm thinking this for two reasons:
1.  It would validate to the RP that the logout request is legitimate.
2.  It would tell the RP which session to log out, should multiple users be logged in at the RP from the OP.

I don't think we should make including the ID Token required, since deployment circumstances will differ.  In some cases, the extra validation is important.  In others, it isn't.

If we do this, in the Discovery and Recovery metadata, we should have the RP and the OP say whether the require and provide the ID Token value as part of the logout message to the RP.

				-- Mike

-----Original Message-----
From: John Bradley [mailto:ve7jtb at ve7jtb.com] 
Sent: Sunday, February 15, 2015 11:34 AM
To: Torsten Lodderstedt
Cc: Thomas Broyer; Mike Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET


forcing a user to logout of a RP might also be used as part of a larger phishing attack, especially if the IdP returns the user to the bad guys landing page by redirecting to the post_logout_redirect_uri.
That redirect URI needs to be registered but without authenticating the RP via having a id_token for the user Bad RP A could log the user out of all sessions and redirect the user to itself, without the user currently being logged in.

Without the id_token all the IdP can do is log the user out of all sessions.  

Though when we start talking about IdP session management things get a bit fuzzy,  Many IdP will automatically log the user back in to a RP if they are still logged in to the IdP, the IdP may not have any real notion of state per RP connection.

John B.
On Feb 15, 2015, at 1:29 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
> against the RP or the user?
> Am 15.02.2015 um 17:22 schrieb John Bradley:
>> It might be used as a denial of service via xsrf.

More information about the Openid-specs-ab mailing list