[Openid-specs-ab] Issue #1049: backchannel logout requests should include a reference to the OP (openid/connect)
thomasclinganjones at gmail.com
Sat Sep 22 15:53:29 UTC 2018
Wouldn't it make more sense for all back channel connex to be over tls with
thx ..Tom (mobile)
On Fri, Sep 21, 2018, 8:38 AM Phil Hunt via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> Interesting. My assumption is iss, aud etc are req’d claims from JWT.
> However maybe a reminder is important?
> > On Sep 21, 2018, at 4:52 AM, Hans Zandbelt via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> > New issue 1049: backchannel logout requests should include a reference
> to the OP
> > Hans Zandbelt:
> > Whilst taking a stab at implementing backchannel logout according to:
> > I found that for an RP that connects to multiple OPs it would be
> impossible to deduct the OP from the `logout_token` if it is encrypted with
> a symmetric key. Since following the OpenID Connect `id_token` guidelines
> (as suggested) it would have to decrypt with the `client_secret` which is
> (hopefully) a per-provider setting. Trying all OPs/`client_secret`'s
> consecutively would be very inefficient and probably not what anyone would
> want to do.
> > I suggest to add an `iss` parameter to the backchannel logout request in
> addition to the `logout_token` parameter.
> > This will also make it easier for implementors to share the code path
> with `id_token` validation since they'd no longer have to "peek" into the
> `id_token` before calling the validation routine that may be issuer
> specific. The issuer would typically be known before validating the
> id_token since it is recorded in the (browser bound) state.
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab