<div dir="ltr">Hi Nat Sakimura,<div><br></div><div>Thanks for your suggestion. I have posted this to <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a></div><div><br></div><div>Thanks,</div><div>Piraveena</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 9 Jul 2020 at 12:37, Nat Sakimura <nat@nat.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div name="messageBodySection">
<div dir="auto">Hi<br>
<br>
It might be better for you to post this to the OpenID AB/C WG. There are more experts there. The list address is<br>
<br>
<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<br>
You need to sign the IPR agreement and subscribe to the list before posting but the IPR agreement is asking just you so not sure other implenters in implementing the spec so it shouldn't be hard.<br>
<br>
Best,<br></div>
</div>
<div name="messageSignatureSection"><br>
Nat Sakimura<br>
Chairman, OpenID Foundation<br>
<a href="https://nat.sakimura.org" target="_blank">https://nat.sakimura.org</a></div>
<div name="messageReplySection">2020年7月9日 14:41 +0900、Piraveena Paralogarajah <<a href="mailto:piraveena.14@cse.mrt.ac.lk" target="_blank">piraveena.14@cse.mrt.ac.lk</a>>のメール:<br>
<blockquote type="cite">
<div dir="ltr">Hi all,
<div><br></div>
<div>We have a requirement for using encrypted_id_token which is signed using the application's certificate. But we have some issues when using encrypted_id_tokens during OIDC logout. </div>
<div>. </div>
<div>Use Case is the following.</div>
<div><br></div>
<div>1. An application is using encrypted id_token due to security measures. This id_token is encrypted using the application's certificate.</div>
<div>2. Once log out from the application it needs to redirect the user to end application</div>
<div>3. To achieve 2; the application must send the plain text id_token as id_token_hint. Because the IDP is using td_token to identify the application. </div>
<div><br></div>
<div>We could find the following possible solutions</div>
<div><br></div>
<div><font face="arial, sans-serif">1. Make id_token_hint is not required to redirect to the application. But we use id_token_hint to identify the RP-initiated-logout. From the id_token_hint, we derive the client_id. What is the best approach to identify the client during logout?</font></div>
<div><font face="arial, sans-serif"><br></font></div>
<div><font face="arial, sans-serif">2. Ask from application to encrypt the decrypted token from idp-certificate. Then in the logout flow, idp decrypts & verifies the token. This adds more overhead for application well.</font></div>
<div><font face="arial, sans-serif"><br></font></div>
<div><font face="arial, sans-serif">Any thoughts on how to handle encrypted id_token_hint for OIDC logout? </font></div>
<div><font face="arial, sans-serif"><br></font></div>
<div>
<div>
<div><font color="#000000" face="arial, sans-serif">Appreciate your suggestions on this.</font></div>
<div><font color="#000000" face="arial, sans-serif"><br></font></div>
<div>
<div><font face="arial, sans-serif">Thank you for your time,</font></div>
</div>
</div>
<div><font face="arial, sans-serif">Piraveena</font></div>
</div>
--<br>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><b>Piraveena Paralogarajah</b></div>
<div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><br></div>
<div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>Blog:</b> <a href="https://medium.com/@piraveenaparalogarajah" target="_blank">https://medium.com/@piraveenaparalogarajah</a></font></div>
<div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>LinkedIn</b>:<a href="https://www.linkedin.com/in/piraveena-paralogarajah" target="_blank"> https://www.linkedin.com/in/piraveena-paralogarajah</a></font></div>
<div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><span></span><span></span><br></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Code mailing list<br>
<a href="mailto:Code@lists.openid.net" target="_blank">Code@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-code" target="_blank">http://lists.openid.net/mailman/listinfo/openid-code</a><br></blockquote>
</div>
</div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><b>Piraveena Paralogarajah</b></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif;font-size:13px"><br></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>Blog:</b> <a href="https://medium.com/@piraveenaparalogarajah" target="_blank">https://medium.com/@piraveenaparalogarajah</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><b>LinkedIn</b>:<a href="https://www.linkedin.com/in/piraveena-paralogarajah" target="_blank"> https://www.linkedin.com/in/piraveena-paralogarajah</a></font></div><div style="color:rgb(0,0,0);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,"Lucida Grande",sans-serif"><font size="1"><span></span><span></span><br></font></div></div></div></div></div></div></div></div>