<div dir="ltr">Log the user out of the RP only, and redirect to the post_logout_redirect_uri?<div><br></div><div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>"In this case, the RP, after having logged the End-User out of the RP, redirects the End-User's User Agent to the OP's logout endpoint URL."</div><div><br></div></blockquote>Now you'll ask what if there's no post_logout_redirect_uri 😉 (though in this case the behavior should be the same whether the End-User wants to be logged out of the OP or only of the RP), and my answer would be "do as you want": show a message telling the user that he's been logged out, or redirect to some URI at the OP that doesn't require (re)authentication…</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 30, 2020 at 5:42 PM Piraveena Paralogarajah <<a href="mailto:piraveena.14@cse.mrt.ac.lk">piraveena.14@cse.mrt.ac.lk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><font color="#000000">Hi all,</font><div><font color="#000000"><br clear="all"></font><div><div style="margin:0px;padding:0px 16px 0px 0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:top;box-sizing:inherit;width:auto;min-width:0px"><div style="margin:0px 0px 5px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.3;vertical-align:baseline;box-sizing:inherit;width:659px"><p style="margin:0px 0px 1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both"><font color="#000000">According to the <a href="https://openid.net/specs/openid-connect-session-1_0.html#RPLogout" target="_blank">OIDC Session management</a> spec, </font></p></div></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="margin:0px;padding:0px 16px 0px 0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:top;box-sizing:inherit;width:auto;min-width:0px"><div style="margin:0px 0px 5px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.3;vertical-align:baseline;box-sizing:inherit;width:659px"><p style="margin:0px 0px 1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both"><font color="#000000">"At the logout endpoint, the OP SHOULD ask the End-User whether he wants to log out of the OP as well. If the End-User says "yes", then the OP MUST log out the End-User.</font></p></div></div></div></blockquote><div><div style="margin:0px;padding:0px 16px 0px 0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:top;box-sizing:inherit;width:auto;min-width:0px"><div style="margin:0px 0px 5px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.3;vertical-align:baseline;box-sizing:inherit;width:659px"><p style="margin:0px 0px 1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both"><font color="#000000">It doesn't say how to handle when the user denies the logout consent. </font></p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both"><span style="color:rgb(0,0,0);font-family:inherit;font-style:inherit;font-variant-ligatures:inherit;font-variant-caps:inherit;font-weight:inherit">How to handle if the user denies the logout consent? What is the possible approach?</span></p></div></div><div></div><div></div></div><div><div><font color="#000000">Appreciate your suggestions on this.</font></div><div><font color="#000000"><br></font></div><div><div>Thank you for your time,</div></div></div><div>Piraveena</div><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><b>Piraveena Paralogarajah</b><br></div><div style="font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><font color="#666666">Undergraduate,</font></div><div style="font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><font color="#666666">Department of Computer Science and Engineering,</font></div><div style="font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><font color="#666666">University of Moratuwa.</font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><br></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><br></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>E-mail</b>: <a href="mailto:piraveena.14@cse.mrt.ac.lk" target="_blank">piraveena.14@cse.mrt.ac.lk</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>Blog:</b> <a href="https://medium.com/@piraveenaparalogarajah" target="_blank">https://medium.com/@piraveenaparalogarajah</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>LinkedIn</b>:<a href="https://www.linkedin.com/in/piraveena-paralogarajah" target="_blank"> https://www.linkedin.com/in/piraveena-paralogarajah</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><span></span><span></span><br></font></div></div></div></div></div></div></div></div></div>
_______________________________________________<br>
Code mailing list<br>
<a href="mailto:Code@lists.openid.net" target="_blank">Code@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-code" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-code</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Thomas Broyer<br>/t<a href="http://xn--nna.ma.xn--bwa-xxb.je/" target="_blank">ɔ.ma.bʁwa.je/</a></div>