[Openid-specs-ab] Issue #1033: RP-initiated logout: require valid id_token_hint to take action on post_logout_redirect_uri (openid/connect)
issues-reply at bitbucket.org
Mon Jul 23 15:18:14 UTC 2018
New issue 1033: RP-initiated logout: require valid id_token_hint to take action on post_logout_redirect_uri
The current draft implies that sending the end-user's browser to the `post_logout_redirect_uri` of a logout request without an `id_token_hint` is OK to proceed, provided the OP is able to locate the URI in a registered client's metadata and the end-user confirms the action (the latter is not normatively required though).
If a valid ID token hint isn't required to clear the redirection, which provides a way to "authenticate" the caller, any website could potentially cause the OP to redirect to an RP's `post_logout_redirect_uri`.
Even if the OP installs a confirmation before the redirection, as suggested in section 8, there may be problems with that. Regarding the confirmation to log out (or not), the end-user will probably know how to respond to that. Regarding the other confirmation - to redirect (or not) in the case of no ID token hint being present - I'm not sure we can rely on the user to discern correctly here, e.g. that the redirection URI belongs to the website that initiated the logout. That will also rely a lot on the UX at the OP.
There may also be unforeseen security and privacy risks with redirecting the end-user to an RP where they didn't log in, for example for OPs with dynamic client registration or where we have RPs with common CORS JS included.
My suggestion therefore is to require an `id_token_hint` when a `post_logout_redirect_uri` is included (with alg:none ID tokens not qualifying).
This issue is related to #1032
More information about the Openid-specs-ab