<div dir="ltr"><div>Hi Piraveens,</div><div><br></div><div>The consent we talk here is about, removing whole OP session; not about whole logout process initiated from the RP. By having logout process up to this level means, user has already passed with any consent\confirmation on RP side on the logout flow. So at this point, user should get logged out from RP, but user still have the option (only) to keep OP session or remove OP session, and thats the OP consent is for.</div><div><br></div><div>So, denying the OP consent shouldn't consider that as logout failure case.. Rather user opted to keep OP side session live and only wanted to remove RP session.</div><div><br></div><div>Depending on the OP implementation, it might have to clear OP session information related to this RP, like removing this RP from the session participation list and update obps session states etc..</div><div><br></div><div>Thanks,</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 31, 2020 at 9:17 AM Piraveena Paralogarajah <<a href="mailto:piraveena.14@cse.mrt.ac.lk">piraveena.14@cse.mrt.ac.lk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><font color="#000000">Hi Thomas Broyer and Darshana,</font><div><font color="#000000"><br></font></div><div><font color="#000000">Thanks for your response. </font></div><div><font color="#000000"><br></font></div><div><font color="#000000">According to the <a href="https://openid.net/specs/openid-connect-session-1_0.html#RPLogout" target="_blank">spec</a>, the user agent needs to be redirected to post_logout_redirect_uri by the OP after logout is performed.</font></div><div><font color="#000000"><br></font></div><div><dl><dt><font face="monospace" color="#000000">post_logout_redirect_uri</font></dt><dd><font face="monospace" color="#000000">OPTIONAL. URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP, either using the <tt>post_logout_redirect_uris</tt> Registration parameter or via another mechanism. If supplied, the OP SHOULD honor this request following the logout.</font></dd><dd style="font-family:verdana,charcoal,helvetica,arial,sans-serif"></dd></dl></div><div><br></div><div>But in this case, the user denies the logout consent and logout didn't happen in the OP side. So it is a correct approach to redirect to post_logout_redirect_uri as logout failed in OP side?</div><div><br></div><div>Thanks,</div><div>Piraveena</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 30 Mar 2020 at 21:53, Darshana Gunawardana <<a href="mailto:darshanasbg@gmail.com" target="_blank">darshanasbg@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Piraveena,<div><br></div><div>If RP not sending the <i>post_logout_redirect_uri</i> or its not matched with the OP registered <i>post_logout_redirect_uris, </i>(regardless of user denied the consent or approved) user would be redirected to some page in OP.</div><div><br></div><div>If the post_logout_redirect_uri is available and valid, IMO the better behaviour would be redirecting to the <i>post_logout_redirect_uri</i>. Here, user will be only logged out from the RP, but not the OP.</div><div><br></div><div>PS: Saw the Thomas's reply halfway through, but continued sending this one. :)</div><div><br></div><div>Thanks,</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 30, 2020 at 8:28 PM Piraveena Paralogarajah <<a href="mailto:piraveena.14@cse.mrt.ac.lk" target="_blank">piraveena.14@cse.mrt.ac.lk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><font color="#000000">Hi all,</font><div><font color="#000000"><br clear="all"></font><div><div style="margin:0px;padding:0px 16px 0px 0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:top;box-sizing:inherit;width:auto;min-width:0px"><div style="margin:0px 0px 5px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.3;vertical-align:baseline;box-sizing:inherit;width:659px"><p style="margin:0px 0px 1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both"><font color="#000000">According to the <a href="https://openid.net/specs/openid-connect-session-1_0.html#RPLogout" target="_blank">OIDC Session management</a> spec, </font></p></div></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="margin:0px;padding:0px 16px 0px 0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:top;box-sizing:inherit;width:auto;min-width:0px"><div style="margin:0px 0px 5px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.3;vertical-align:baseline;box-sizing:inherit;width:659px"><p style="margin:0px 0px 1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both"><font color="#000000">"At the logout endpoint, the OP SHOULD ask the End-User whether he wants to log out of the OP as well. If the End-User says "yes", then the OP MUST log out the End-User.</font></p></div></div></div></blockquote><div><div style="margin:0px;padding:0px 16px 0px 0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:top;box-sizing:inherit;width:auto;min-width:0px"><div style="margin:0px 0px 5px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.3;vertical-align:baseline;box-sizing:inherit;width:659px"><p style="margin:0px 0px 1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both"><font color="#000000">It doesn't say how to handle when the user denies the logout consent. </font></p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both"><span style="color:rgb(0,0,0);font-family:inherit;font-style:inherit;font-variant-ligatures:inherit;font-variant-caps:inherit;font-weight:inherit">How to handle if the user denies the logout consent? What is the possible approach?</span></p></div></div><div></div><div></div></div><div><div><font color="#000000">Appreciate your suggestions on this.</font></div><div><font color="#000000"><br></font></div><div><div>Thank you for your time,</div></div></div><div>Piraveena</div><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><b>Piraveena Paralogarajah</b><br></div><div style="font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><font color="#666666">Undergraduate,</font></div><div style="font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><font color="#666666">Department of Computer Science and Engineering,</font></div><div style="font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><font color="#666666">University of Moratuwa.</font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><br></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><br></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>E-mail</b>: <a href="mailto:piraveena.14@cse.mrt.ac.lk" target="_blank">piraveena.14@cse.mrt.ac.lk</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>Blog:</b> <a href="https://medium.com/@piraveenaparalogarajah" target="_blank">https://medium.com/@piraveenaparalogarajah</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>LinkedIn</b>:<a href="https://www.linkedin.com/in/piraveena-paralogarajah" target="_blank"> https://www.linkedin.com/in/piraveena-paralogarajah</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><span></span><span></span><br></font></div></div></div></div></div></div></div></div></div>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div style="font-size:small"><div dir="ltr"><font face="georgia, serif">Regards,</font><div><div><font face="georgia, serif"><b>Darshana Gunawardana</b></font></div></div></div><div dir="ltr"><font color="#333333" face="georgia, serif"><a href="https://www.linkedin.com/in/darshana-gunawardana-a23b6037/" target="_blank">https://www.linkedin.com/in/darshana-gunawardana-a23b6037/</a></font></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><b>Piraveena Paralogarajah</b></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><br></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><br></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>E-mail</b>: <a href="mailto:piraveena.14@cse.mrt.ac.lk" target="_blank">piraveena.14@cse.mrt.ac.lk</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>Blog:</b> <a href="https://medium.com/@piraveenaparalogarajah" target="_blank">https://medium.com/@piraveenaparalogarajah</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>LinkedIn</b>:<a href="https://www.linkedin.com/in/piraveena-paralogarajah" target="_blank"> https://www.linkedin.com/in/piraveena-paralogarajah</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><span></span><span></span><br></font></div></div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="font-size:small"><div dir="ltr"><font face="georgia, serif">Regards,</font><div><div><font face="georgia, serif"><b>Darshana Gunawardana</b></font></div></div></div><div dir="ltr"><font color="#333333" face="georgia, serif"><a href="https://www.linkedin.com/in/darshana-gunawardana-a23b6037/" target="_blank">https://www.linkedin.com/in/darshana-gunawardana-a23b6037/</a></font></div></div></div></div></div></div></div>