[Openid-specs-ab] Issue #1071: Require id_token_hint in RP-initiated logout for redirect to post_logout_redirect_uri (openid/connect)
issues-reply at bitbucket.org
Fri Apr 19 19:29:01 UTC 2019
New issue 1071: Require id_token_hint in RP-initiated logout for redirect to post_logout_redirect_uri
During IETF 104 in Prague, a number of us discussed RP-initiated logout and how to validate the client so that redirecting to the post_logout_redirect_uri is safe. The consensus was to require that an id_token_hint be present so that the client can be validated; otherwise, the supplied post_logout_redirect_uri should not be honored.
Those present were Torsten Lodderstedt, John Bradley, Filip Skokan, Daniel Fett, Aaron Parecki, and Mike Jones.
Responsible: Michael Jones
More information about the Openid-specs-ab