[Openid-specs-ab] Issue #1030: Front & back-channel logout: HTTPS URIs? (openid/connect)
sakimura at gmail.com
Thu Jun 21 09:25:26 UTC 2018
+1 for requirering https.
2018年6月21日(木) 15:17 Vladimir Dzhuvinov via Openid-specs-ab <
openid-specs-ab at lists.openid.net>:
> New issue 1030: Front & back-channel logout: HTTPS URIs?
> Vladimir Dzhuvinov:
> Shouldn't the logout specs include normative language about the use of
> HTTPS for logout URIs? Or at least outline the possible issues with plain
> vs HTTPS logout URIs in the "Security Considerations"?
> My suggestion is to have HTTPS REQUIRED (or at least RECOMMENDED) for
> front-channel logout, for privacy and confidentiality reasons, and also to
> make it possible for the OP to render the logout iframe without
> complications (browsers normally block non-HTTPS iframes in HTML served
> with HTTPS).
> Similarly for back-channel logout, where the logout token can be a JWS
> without additional JWE (or even `alg:none`).
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab