[Openid-specs-ab] Issue #1056: Use of id_token in RP-Initiated Logout as the id_token_hint (openid/connect)
issues-reply at bitbucket.org
Sun Nov 4 01:53:41 UTC 2018
New issue 1056: Use of id_token in RP-Initiated Logout as the id_token_hint
Current spec recommends using id_token in the RP-initiated logout as the id_token_hint but there are two issues with this approach:
1. When an id_token contains additional claims, the size of the id_token becomes too big for a URL query parameter and can run into logout issues. This is esp. an issue when id_token includes role claims in an enterprise Active Directory environment.
2. id_token can contain sensitive information about the user such as name, email, phone. Because it is used as a GET query parameter, the value can be easily extracted by a middle party as well as gets logged in a standard logging configuration.
Is there a way to recommend using a different value for this? The reason for using id_token_hint makes sense but does the value have to be the id_token itself? Can the OP issue some other value (within the id_token) at sign-in time that can be used as the logout id_token_hint? Then OP can still verify the logout request in a secure manner.
More information about the Openid-specs-ab