[Openid-specs-ab] Issue #1032: rp-initiated logout - proposal for client_id parameter (openid/connect)

Vladimir Dzhuvinov vladimir at connect2id.com
Mon Jul 23 13:49:08 UTC 2018


Hi Filip,

I see where you come from. I had the (wrong) impression of the spec that
if a valid id_token_hint isn't found there's no sound way for the OP to
know that and which RP is making the request, and hence the redirect
will be "logically" ignored.

I'm going to file a ticket to consider making this explicit, with some
thoughts about that.

Cheers,

Vladimir


On 20/07/18 14:16, Filip Skokan wrote:
> Hello Vladimir,
>
> The OP is advised to render a prompt for the end-user in those cases where
> post_logout_redirect_uri is not provided. And there's no mention of
> ignoring the post_logout_redirect_uri param if id_token_hint is missing.
>
> Currently:
>
>> post_logout_redirect_uri
>> OPTIONAL. URL to which the RP is requesting that the End-User's User Agent
>> be redirected after a logout has been performed. The value MUST have been
>> previously registered with the OP, either using the
>> post_logout_redirect_uris Registration parameter or via another mechanism.
>> If supplied, the OP SHOULD honor this request following the logout.
>
> No mention of ignoring the value if id_token_hint is not provided.
>
> and under security considerations, the advise to prompt.
>
> The id_token_hint parameter to a logout request can be used to determine
>> which RP initiated the logout request. Logout requests without a valid
>> id_token_hint value are a potential means of denial of service; therefore,
>> OPs may want to require explicit user confirmation before acting upon them.
>
> Supplying a client_id does not change a potential extra OP policy that
> id_token_hint must be provided if it choses to do so, it simply makes
> post_logout_redirect_uri lookup possible in cases where loading all uris or
> clients into memory is not possible/is inefficient or can't query for all
> valid uris for the same reasons.
>
> Best,
> *Filip*
>
>
> On Fri, Jul 20, 2018 at 1:01 PM Vladimir Dzhuvinov via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Hi Filip,
>>
>> My concern is that relying on the client_id opens up post logout
>> redirection to potential misuse.
>>
>> IMO the OP shouldn't be picking any redirections if cannot be sure, to a
>> satisfactory degree, that it's the legitimate RP making the call.
>>
>> The ID token isn't really a substitute for proper RP authentication, but
>> it's some way towards that.
>>
>> A JWS request might help here, but it's probably too much to ask from RPs.
>>
>> Vladimir
>>
>>
>> On 20/07/18 11:10, Filip Skokan via Openid-specs-ab wrote:
>>> New issue 1032: rp-initiated logout - proposal for client_id parameter
>>>
>> https://bitbucket.org/openid/connect/issues/1032/rp-initiated-logout-proposal-for-client_id
>>> Filip Skokan:
>>>
>>> I'd like to request that a parameter (optional or required?) client_id
>> is defined for rp-initiated logout request.
>>> rationale:
>>>
>>> Currently the id_token_hint is the only way of identifying the client
>> that's making the request. In scenarios where a client does not yet have an
>> id_token but makes a request to authenticate which fails (e.g. due to being
>> requested with essential sub claim through claims) the next step will be to
>> trigger an rp initiated logout with a registered post_logout_redirect_uri
>> but without an id_token_hint. This can be problematic for OP deployments
>> with a high number of clients as it is not efficient or sometimes even not
>> possible to iterate over all of them to see if this
>> post_logout_redirect_uri is whitelisted or not. Hence the client_id
>> parameter to make this lookup possible and efficient.
>>> Further processing may be defined such as if both client_id and
>> id_token_hint are provided the audience of the id_token_hint must include
>> the client_id etc.
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4002 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180723/6a93c06f/attachment.p7s>


More information about the Openid-specs-ab mailing list