<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Helvetica","sans-serif";
color:#333333;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:24.0pt;
mso-margin-bottom-alt:auto;
margin-left:24.0pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
tt
{mso-style-priority:99;
font-family:"Courier New";
color:#003366;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Helvetica","sans-serif";
color:#333333;
font-weight:bold;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">This sounds like something we should add to the security considerations.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> John Bradley [mailto:ve7jtb@ve7jtb.com]
<br>
<b>Sent:</b> Tuesday, November 19, 2013 6:54 PM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-ab] FW: OpenID Connection session management: determining which RP is initiating the logout<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">The id_token hint is the only way to know. Sending it is a SHOULD so unless there is some good reason not to send it, it should be included. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If I were a IdP I would treat any logout Requests without it as possible denial of service attacks requiring additional confirmation from the user. <br>
<br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On Nov 19, 2013, at 9:32 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="color:#1F497D">A Microsoft developer asked this question. Thoughts?</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Mike,<o:p></o:p></p>
<p class="MsoNormal"> I’ve been reviewing <span style="color:#1F497D">
our</span> implementation of OpenID Connect session management. In the RP-initiated logout mechanism, the STS is required to validate that, if the post_logout_redirect_uri is supplied, that it match one of the values registered for that RP. However, what’s
not clear from the OpenID Connect Session Management spec is how the STS can determine which RP sent the logout request (so the STS can determine which RP’s info to use to validate the post_logout_redirect_uri). There does not seem to be any required parameter
in the logout request that would specify the RP sending it. The closest is the id_token_hint (i.e., the STS can look inside the token to see its audience), but the id_token_hint is recommended, not required (and really seems intended for determining the user
identity, not the RP identity).<o:p></o:p></p>
<p class="MsoNormal"> What is the expected means by which an STS can determine which RP is initiating the logout?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang="EN" style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:#333333">5. RP-Initiated Logout</span></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-right:48.0pt;mso-margin-bottom-alt:auto;margin-left:48.0pt">
<span lang="EN" style="font-size:12.0pt;font-family:"Verdana","sans-serif";color:black">An RP can notify the OP that the End-User has logged out of the site, and might want to log out of the OP as well. In this case, the RP, after having logged the End-User
out of the RP, redirects the End-User's User-Agent to the OP's logout endpoint URL. This URL is normally obtained via the
</span><span lang="EN" style="font-size:12.0pt;font-family:"Courier New";color:#003366">end_session_endpoint</span><span lang="EN" style="font-size:12.0pt;font-family:"Verdana","sans-serif";color:black"> element of the OP's Discovery response, or MAY be learned
via other mechanisms. </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-right:48.0pt;mso-margin-bottom-alt:auto;margin-left:48.0pt">
<span lang="EN" style="font-size:12.0pt;font-family:"Verdana","sans-serif";color:black">This specification also defines the following parameters that are passed as query parameters in the logout request:
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN" style="font-size:12.0pt;font-family:"Verdana","sans-serif";color:black">id_token_hint</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:96.0pt"><span lang="EN" style="font-size:12.0pt;font-family:"Verdana","sans-serif";color:black">RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated
session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an
</span><span lang="EN" style="font-size:12.0pt;font-family:"Courier New";color:#003366">id_token_hint</span><span lang="EN" style="font-size:12.0pt;font-family:"Verdana","sans-serif";color:black"> value.
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN" style="font-size:12.0pt;font-family:"Verdana","sans-serif";color:black">post_logout_redirect_uri</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:96.0pt"><span lang="EN" style="font-size:12.0pt;font-family:"Verdana","sans-serif";color:black">OPTIONAL. URL to which the RP is requesting that the End-User's User-Agent be redirected after a logout has been performed.
The value MUST have been previously registered with the OP, either using the </span>
<span lang="EN" style="font-size:12.0pt;font-family:"Courier New";color:#003366">post_logout_redirect_uris</span><span lang="EN" style="font-size:12.0pt;font-family:"Verdana","sans-serif";color:black"> Registration parameter or via another mechanism. If supplied,
the OP SHOULD honor this request following the logout. </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
</body>
</html>