[Code] Possible approach to handle OIDC logout consent denial by the end-user
Piraveena Paralogarajah
piraveena.14 at cse.mrt.ac.lk
Tue Mar 31 03:47:08 UTC 2020
Hi Thomas Broyer and Darshana,
Thanks for your response.
According to the spec
<https://openid.net/specs/openid-connect-session-1_0.html#RPLogout>, the
user agent needs to be redirected to post_logout_redirect_uri by the OP
after logout is performed.
post_logout_redirect_uriOPTIONAL. URL to which the RP is requesting that
the End-User's User Agent be redirected after a logout has been performed.
The value MUST have been previously registered with the OP, either using
the post_logout_redirect_uris Registration parameter or via another
mechanism. If supplied, the OP SHOULD honor this request following the
logout.
But in this case, the user denies the logout consent and logout didn't
happen in the OP side. So it is a correct approach to redirect to
post_logout_redirect_uri as logout failed in OP side?
Thanks,
Piraveena
On Mon, 30 Mar 2020 at 21:53, Darshana Gunawardana <darshanasbg at gmail.com>
wrote:
> Hi Piraveena,
>
> If RP not sending the *post_logout_redirect_uri* or its not matched with
> the OP registered *post_logout_redirect_uris, *(regardless of user denied
> the consent or approved) user would be redirected to some page in OP.
>
> If the post_logout_redirect_uri is available and valid, IMO the better
> behaviour would be redirecting to the *post_logout_redirect_uri*. Here,
> user will be only logged out from the RP, but not the OP.
>
> PS: Saw the Thomas's reply halfway through, but continued sending this
> one. :)
>
> Thanks,
>
> On Mon, Mar 30, 2020 at 8:28 PM Piraveena Paralogarajah <
> piraveena.14 at cse.mrt.ac.lk> wrote:
>
>> Hi all,
>>
>> According to the OIDC Session management
>> <https://openid.net/specs/openid-connect-session-1_0.html#RPLogout>
>> spec,
>>
>> "At the logout endpoint, the OP SHOULD ask the End-User whether he wants
>> to log out of the OP as well. If the End-User says "yes", then the OP MUST
>> log out the End-User.
>>
>> It doesn't say how to handle when the user denies the logout consent.
>>
>> How to handle if the user denies the logout consent? What is the possible
>> approach?
>> Appreciate your suggestions on this.
>>
>> Thank you for your time,
>> Piraveena
>>
>> --
>> *Piraveena Paralogarajah*
>> Undergraduate,
>> Department of Computer Science and Engineering,
>> University of Moratuwa.
>>
>>
>> *E-mail*: piraveena.14 at cse.mrt.ac.lk
>> *Blog:* https://medium.com/@piraveenaparalogarajah
>> *LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah
>> <https://www.linkedin.com/in/piraveena-paralogarajah>
>>
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
>
>
> --
> Regards,
> *Darshana Gunawardana*
> https://www.linkedin.com/in/darshana-gunawardana-a23b6037/
>
--
*Piraveena Paralogarajah*
*E-mail*: piraveena.14 at cse.mrt.ac.lk
*Blog:* https://medium.com/@piraveenaparalogarajah
*LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah
<https://www.linkedin.com/in/piraveena-paralogarajah>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20200331/d6283cab/attachment.html>
More information about the Code
mailing list