<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I reviewed the docs and there is discussion of this issue already
present that I missed.<br>
<br>
Section 5 (RP-Initiated Logout) from the Session Management spec
RECOMMENDS use of the id_token_hint and ends the section with a
statement that the OP should ask the user if they want to logout of
the OP or not.<br>
<br>
Section 8 (Security Considerations) from the Session Management spec
calls out that "Logout requests without a valid 'id_token_hint'
value are a potential means of denial of service; therefore, OPs may
want to require explicit user confirmation before acting upon them."<br>
<br>
Section 1 (Introduction) from the Front-Channel logout spec
identifies that the spec reuses the RP-Initiated Logout
functionality from the Session Management spec.<br>
<br>
All the basis are covered, though it's easy to miss. I don't know if
what we have is sufficient or we should add more text.<br>
<br>
The only normative change we could make that might make things
easier for RPs, now that session id is defined, would be to update
Section 5 of the Session Management spec to allow for specification
of the session-id instead of the id_token.<br>
<br>
Thoughts?<br>
<br>
Thanks,<br>
George<br>
<br>
<div class="moz-cite-prefix">On 6/21/18 10:48 AM, Mike Jones via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SN6PR00MB0304701900B67C960493729AF5760@SN6PR00MB0304.namprd00.prod.outlook.com">
<p class="MsoNormal">Unauthenticated Logout Requests<o:p></o:p></p>
<p class="MsoNormal">������������� George will file an issue
proposing Security Considerations language about denial of
service attacks using front-channel logout<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
</blockquote>
<br>
</body>
</html>