[Openid-specs-ab] OpenID Connect Logout using HTTP GET

Mike Jones Michael.Jones at microsoft.com
Tue Feb 17 02:44:22 UTC 2015

An updated version is attached.  Changes were:
16-Feb-15            Added an optional id_token parameter to the logout_uri to authenticate requests and differentiate between sessions, plus related metadata values.  Added that non-200 HTTP status codes can be used when the logout fails.  Clarified when post-logout redirection to an RP occurs.

I believe that this addresses the comments received to date.

                                                                -- Mike

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Sunday, February 15, 2015 11:03 PM
To: John Bradley; Torsten Lodderstedt
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET

I'm increasingly thinking that we should allow the OP to include the ID Token for the RP as a query parameter in the logout request.  I'm thinking this for two reasons:

1.  It would validate to the RP that the logout request is legitimate.

2.  It would tell the RP which session to log out, should multiple users be logged in at the RP from the OP.

I don't think we should make including the ID Token required, since deployment circumstances will differ.  In some cases, the extra validation is important.  In others, it isn't.

If we do this, in the Discovery and Recovery metadata, we should have the RP and the OP say whether the require and provide the ID Token value as part of the logout message to the RP.

                                                                -- Mike

-----Original Message-----

From: John Bradley [mailto:ve7jtb at ve7jtb.com]

Sent: Sunday, February 15, 2015 11:34 AM

To: Torsten Lodderstedt

Cc: Thomas Broyer; Mike Jones; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>

Subject: Re: [Openid-specs-ab] OpenID Connect Logout using HTTP GET


forcing a user to logout of a RP might also be used as part of a larger phishing attack, especially if the IdP returns the user to the bad guys landing page by redirecting to the post_logout_redirect_uri.

That redirect URI needs to be registered but without authenticating the RP via having a id_token for the user Bad RP A could log the user out of all sessions and redirect the user to itself, without the user currently being logged in.

Without the id_token all the IdP can do is log the user out of all sessions.

Though when we start talking about IdP session management things get a bit fuzzy,  Many IdP will automatically log the user back in to a RP if they are still logged in to the IdP, the IdP may not have any real notion of state per RP connection.

John B.

On Feb 15, 2015, at 1:29 PM, Torsten Lodderstedt <torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>> wrote:



> against the RP or the user?


> Am 15.02.2015 um 17:22 schrieb John Bradley:

>> It might be used as a denial of service via xsrf.



Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150217/5107d19f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenID Connect Logout using HTTP GET.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 20811 bytes
Desc: OpenID Connect Logout using HTTP GET.docx
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150217/5107d19f/attachment-0001.docx>

More information about the Openid-specs-ab mailing list