[Openid-specs-ab] Issue #1049: backchannel logout requests should include a reference to the OP (openid/connect)

Hans Zandbelt issues-reply at bitbucket.org
Fri Sep 21 11:52:10 UTC 2018

New issue 1049: backchannel logout requests should include a reference to the OP

Hans Zandbelt:

Whilst taking a stab at implementing backchannel logout according to:

I found that for an RP that connects to multiple OPs it would be impossible to deduct the OP from the `logout_token` if it is encrypted with a symmetric key. Since following the OpenID Connect `id_token` guidelines (as suggested) it would have to decrypt with the `client_secret` which is (hopefully) a per-provider setting. Trying all OPs/`client_secret`'s consecutively would be very inefficient and probably not what anyone would want to do.

I suggest to add an `iss` parameter to the backchannel logout request in addition to the `logout_token` parameter. 

This will also make it easier for implementors to share the code path with `id_token` validation since they'd no longer have to "peek" into the `id_token` before calling the validation routine that may be issuer specific. The issuer would typically be known before validating the id_token since it is recorded in the (browser bound) state.

More information about the Openid-specs-ab mailing list