[Openid-specs-ab] Issue #1030: Front & back-channel logout: HTTPS URIs? (openid/connect)

Vladimir Dzhuvinov issues-reply at bitbucket.org
Thu Jun 21 06:15:59 UTC 2018

New issue 1030: Front & back-channel logout: HTTPS URIs?

Vladimir Dzhuvinov:

Shouldn't the logout specs include normative language about the use of HTTPS for logout URIs? Or at least outline the possible issues with plain vs HTTPS logout URIs in the "Security Considerations"?

My suggestion is to have HTTPS REQUIRED (or at least RECOMMENDED) for front-channel logout, for privacy and confidentiality reasons, and also to make it possible for the OP to render the logout iframe without complications (browsers normally block non-HTTPS iframes in HTML served with HTTPS).

Similarly for back-channel logout, where the logout token can be a JWS without additional JWE (or even `alg:none`).

More information about the Openid-specs-ab mailing list