[Openid-specs-ab] Issue #1071: Require id_token_hint in RP-initiated logout for redirect to post_logout_redirect_uri (openid/connect)

Michael Jones issues-reply at bitbucket.org
Fri Apr 19 19:29:01 UTC 2019


New issue 1071: Require id_token_hint in RP-initiated logout for redirect to post_logout_redirect_uri
https://bitbucket.org/openid/connect/issues/1071/require-id_token_hint-in-rp-initiated

Michael Jones:

During IETF 104 in Prague, a number of us discussed RP-initiated logout and how to validate the client so that redirecting to the post_logout_redirect_uri is safe.  The consensus was to require that an id_token_hint be present so that the client can be validated; otherwise, the supplied post_logout_redirect_uri should not be honored.

Those present were Torsten Lodderstedt, John Bradley, Filip Skokan, Daniel Fett, Aaron Parecki, and Mike Jones.

Responsible: Michael Jones


More information about the Openid-specs-ab mailing list