[Openid-specs-ab] Issue #1056: Use of id_token in RP-Initiated Logout as the id_token_hint (openid/connect)

Rasitha Wijesinghe issues-reply at bitbucket.org
Sun Nov 4 01:53:41 UTC 2018


New issue 1056: Use of id_token in RP-Initiated Logout as the id_token_hint
https://bitbucket.org/openid/connect/issues/1056/use-of-id_token-in-rp-initiated-logout-as

Rasitha Wijesinghe:

Re: https://openid.net/specs/openid-connect-session-1_0.html#RPLogout

Current spec recommends using id_token in the RP-initiated logout as the id_token_hint but there are two issues with this approach:

1. When an id_token contains additional claims, the size of the id_token becomes too big for a URL query parameter and can run into logout issues. This is esp. an issue when id_token includes role claims in an enterprise Active Directory environment.
 
2. id_token can contain sensitive information about the user such as name, email, phone. Because it is used as a GET query parameter, the value can be easily extracted by a middle party as well as gets logged in a standard logging configuration.

Is there a way to recommend using a different value for this? The reason for using id_token_hint makes sense but does the value have to be the id_token itself? Can the OP issue some other value (within the id_token) at sign-in time that can be used as the logout id_token_hint? Then OP can still verify the logout request in a secure manner. 

 Thanks!




More information about the Openid-specs-ab mailing list