[Openid-specs-ab] Issue #1030: Front & back-channel logout: HTTPS URIs? (openid/connect)

Nat Sakimura sakimura at gmail.com
Thu Jun 21 09:25:26 UTC 2018


+1 for requirering https.

2018年6月21日(木) 15:17 Vladimir Dzhuvinov via Openid-specs-ab <
openid-specs-ab at lists.openid.net>:

> New issue 1030: Front & back-channel logout: HTTPS URIs?
>
> https://bitbucket.org/openid/connect/issues/1030/front-back-channel-logout-https-uris
>
> Vladimir Dzhuvinov:
>
> Shouldn't the logout specs include normative language about the use of
> HTTPS for logout URIs? Or at least outline the possible issues with plain
> vs HTTPS logout URIs in the "Security Considerations"?
>
> My suggestion is to have HTTPS REQUIRED (or at least RECOMMENDED) for
> front-channel logout, for privacy and confidentiality reasons, and also to
> make it possible for the OP to render the logout iframe without
> complications (browsers normally block non-HTTPS iframes in HTML served
> with HTTPS).
>
> Similarly for back-channel logout, where the logout token can be a JWS
> without additional JWE (or even `alg:none`).
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180621/3adf93c6/attachment.html>


More information about the Openid-specs-ab mailing list