<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hi Todd,</div><div><br></div><div>I think your proposal to make the id token hint required if the post logout uri is present limits applicability of the logout mechanism. We see the need to trigger a logout from pages, which did not previously process a login (portal, landing page). This would be impossible.</div><div><br></div><div>General note: I think the security consideration section must discuss open redirection at the end session endpoint. I assume registration of post logout uri serves the purpose of preventing this threat but this is not documented.</div><div><br></div><div>regards,</div><div>Torsten.</div><div><br>Am 17.01.2014 um 22:45 schrieb Todd W Lainhart <<a href="mailto:lainhart@us.ibm.com">lainhart@us.ibm.com</a>>:<br><br></div><blockquote type="cite"><div><font size="2" face="sans-serif">Last week I filed:</font>
<br>
<br><a href="https://bitbucket.org/openid/connect/issue/914/session-5-missing-client_id-parameter"><tt><font size="2">https://bitbucket.org/openid/connect/issue/914/session-5-missing-client_id-parameter</font></tt></a>
<br>
<br><font size="2" face="sans-serif">...where I stated that a required client_id
parm was missing that allowed for the verification of the post_logout_uri
value. I've implemented this endpoint, and I think that I see that
this parm may not be necessary.</font>
<br>
<br><font size="2" face="sans-serif">Section 5 of the session mgmt. spec
says this:</font>
<br>
<br><font size="2" face="sans-serif">//===========</font>
<br><font size="2" face="Verdana">This specification also defines the following
parameters that are passed as query parameters in the logout request:</font>
<p><font size="2" face="Verdana">id_token_hint</font>
<br><font size="2" face="Verdana">RECOMMENDED. Previously issued ID Token
passed to the logout endpoint as a hint about the End-User's current authenticated
session with the Client. This is used as an indication of the identity
of the End-User that the RP is requesting be logged out by the OP. The
OP need not be listed as an audience of the ID Token when it is used as
an </font><font size="2" color="#002060" face="Courier New">id_token_hint</font><font size="2" face="Verdana"> value.</font>
<br><font size="2" face="Verdana">post_logout_redirect_uri</font>
<br><font size="2" face="Verdana">OPTIONAL. URL to which the RP is requesting
that the End-User's User Agent be redirected after a logout has been performed.
The value MUST have been previously registered with the OP, either using
the </font><font size="2" color="#002060" face="Courier New">post_logout_redirect_uris</font><font size="2" face="Verdana"> Registration
parameter or via another mechanism. If supplied, the OP SHOULD honor this
request following the logout.</font>
<br><font size="2" face="sans-serif"><br>
</font>
<br><font size="2" face="sans-serif">//===========</font>
<br>
<br><font size="2" face="sans-serif">I would reword these definitions to
say something along the following lines:</font>
<br>
<br><font size="2" face="sans-serif">post_logout_redirect_uri OPTIONAL.
The URL to which the RP is requesting that the End-User's User Agent
be redirected to after the logout has been performed. The value MUST
have been previously registered with the OP, either using the post_logout_redirect_uris
Registration parameter or via another mechanism. If supplied, id_token_hint
MUST be specified.</font>
<br>
<br><font size="2" face="sans-serif">id_token_hint REQUIRED if "post_logout_redirect_uri"
is specified, otherwise RECOMMENDED. The previously issued ID Token
passed to the logout endpoint as a hint about the End-User's current authenticated
session with the Client. This is used as an indication of the identity
of the End-User that the RP is requesting be logged out by the OP. If "post_logout_redirect_uri"
is specified, then the "aud" member of this token MUST be a single
element, and MUST be the client_id to which the specified "post_logout_redirect_uri"
is registered.</font>
<br>
<br><font size="2" face="sans-serif">Additionally, a decision should be made
as to whether a state parameter should be included that can be round-tripped
via the post_logout_redirect_uri. Either that, or the value of the
id_token_hint parm is returned via the post_logout_redirect_uri redirect.</font>
<br>
<br><font size="2" face="sans-serif">The implication of this is that the
end_session_endpoint can be called with no parameters, an id_token_hint,
or both id_token_hint and post_logout_redirect_uri.</font>
</p><table width="223" style="border-collapse:collapse;">
<tbody><tr height="8">
<td width="223" bgcolor="white" style="border-style:solid;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;">
<br>
<br>
<br><font size="1" face="Verdana"><b><br>
<br>
<br>
Todd Lainhart<br>
Rational software<br>
IBM Corporation<br>
550 King Street, Littleton, MA 01460-1250</b></font><font size="1" face="Arial"><b><br>
1-978-899-4705<br>
2-276-4705 (T/L)<br>
<a href="mailto:lainhart@us.ibm.com">lainhart@us.ibm.com</a></b></font></td></tr></tbody></table>
<br></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></body></html>