[Openid-specs-ab] Issue #1056: Use of id_token in RP-Initiated Logout as the id_token_hint (openid/connect)
brockallen at gmail.com
Sun Nov 4 01:58:03 UTC 2018
Isn’t this the motivation for the user info endpoint?
On Sat, Nov 3, 2018 at 9:53 PM Rasitha Wijesinghe via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> New issue 1056: Use of id_token in RP-Initiated Logout as the id_token_hint
> Rasitha Wijesinghe:
> Re: https://openid.net/specs/openid-connect-session-1_0.html#RPLogout
> Current spec recommends using id_token in the RP-initiated logout as the
> id_token_hint but there are two issues with this approach:
> 1. When an id_token contains additional claims, the size of the id_token
> becomes too big for a URL query parameter and can run into logout issues.
> This is esp. an issue when id_token includes role claims in an enterprise
> Active Directory environment.
> 2. id_token can contain sensitive information about the user such as name,
> email, phone. Because it is used as a GET query parameter, the value can be
> easily extracted by a middle party as well as gets logged in a standard
> logging configuration.
> Is there a way to recommend using a different value for this? The reason
> for using id_token_hint makes sense but does the value have to be the
> id_token itself? Can the OP issue some other value (within the id_token) at
> sign-in time that can be used as the logout id_token_hint? Then OP can
> still verify the logout request in a secure manner.
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab