[Openid-specs-ab] end_session endpoint parameter specs

Torsten Lodderstedt torsten at lodderstedt.net
Mon Jan 20 16:28:08 UTC 2014 

Hi Todd,

this page would not necessarily have a client id.

Regards,
Torsten.



Todd W Lainhart <lainhart at us.ibm.com> schrieb:
>Hi Torsten -
>
>> We see the need to trigger a logout from pages, which did not
>previously 
>process a login (portal, landing page).
>
>Would your page have a client_id available?  It's a requirement that
>the 
>provided post_logout_uri be registered.  I was trying to intuit how
>that 
>would be done given the current param spec, in which the client_id was 
>only available (perhaps) as the "aud" field of the id_token.
>
>
>
>
>
>Todd Lainhart
>Rational software
>IBM Corporation
>550 King Street, Littleton, MA 01460-1250
>1-978-899-4705
>2-276-4705 (T/L)
>lainhart at us.ibm.com
>
>
>
>
>From:   Torsten Lodderstedt <torsten at lodderstedt.net>
>To:     Todd W Lainhart/Lexington/IBM at IBMUS, 
>Cc:     "openid-specs-ab at lists.openid.net" 
><openid-specs-ab at lists.openid.net>
>Date:   01/18/2014 03:44 AM
>Subject:        Re: [Openid-specs-ab] end_session endpoint parameter
>specs
>
>
>
>Hi Todd,
>
>I think your proposal to make the id token hint required if the post 
>logout uri is present limits applicability of the logout mechanism. We
>see 
>the need to trigger a logout from pages, which did not previously
>process 
>a login (portal, landing page). This would be impossible.
>
>General note: I think the security consideration section must discuss
>open 
>redirection at the end session endpoint. I assume registration of post 
>logout uri serves the purpose of preventing this threat but this is not
>
>documented.
>
>regards,
>Torsten.
>
>Am 17.01.2014 um 22:45 schrieb Todd W Lainhart <lainhart at us.ibm.com>:
>
>Last week I filed: 
>
>https://bitbucket.org/openid/connect/issue/914/session-5-missing-client_id-parameter
>
>
>
>...where I stated that a required client_id parm was missing that
>allowed 
>for the verification of the post_logout_uri value.  I've implemented
>this 
>endpoint, and I think that I see that this parm may not be necessary. 
>
>Section 5 of the session mgmt. spec says this: 
>
>//=========== 
>This specification also defines the following parameters that are
>passed 
>as query parameters in the logout request: 
>id_token_hint 
>RECOMMENDED. Previously issued ID Token passed to the logout endpoint
>as a 
>hint about the End-User's current authenticated session with the
>Client. 
>This is used as an indication of the identity of the End-User that the
>RP 
>is requesting be logged out by the OP. The OP need not be listed as an 
>audience of the ID Token when it is used as an id_token_hint value. 
>post_logout_redirect_uri 
>OPTIONAL. URL to which the RP is requesting that the End-User's User
>Agent 
>be redirected after a logout has been performed. The value MUST have
>been 
>previously registered with the OP, either using the 
>post_logout_redirect_uris Registration parameter or via another
>mechanism. 
>If supplied, the OP SHOULD honor this request following the logout. 
>
>
>//=========== 
>
>I would reword these definitions to say something along the following 
>lines: 
>
>post_logout_redirect_uri  OPTIONAL.  The URL to which the RP is
>requesting 
>that the End-User's User Agent be redirected to after the logout has
>been 
>performed.  The value MUST have been previously registered with the OP,
>
>either using the post_logout_redirect_uris Registration parameter or
>via 
>another mechanism.  If supplied, id_token_hint MUST be specified. 
>
>id_token_hint REQUIRED if "post_logout_redirect_uri" is specified, 
>otherwise RECOMMENDED.  The previously issued ID Token passed to the 
>logout endpoint as a hint about the End-User's current authenticated 
>session with the Client. This is used as an indication of the identity
>of 
>the End-User that the RP is requesting be logged out by the OP. If 
>"post_logout_redirect_uri" is specified, then the "aud" member of this 
>token MUST be a single element, and MUST be the client_id to which the 
>specified "post_logout_redirect_uri" is registered. 
>
>Additionally, a decision should be made as to whether a state parameter
>
>should be included that can be round-tripped via the 
>post_logout_redirect_uri.  Either that, or the value of the
>id_token_hint 
>parm is returned via the post_logout_redirect_uri redirect. 
>
>The implication of this is that the end_session_endpoint can be called 
>with no parameters, an id_token_hint, or both id_token_hint and 
>post_logout_redirect_uri. 
>
>
>
>
>
>
>
>Todd Lainhart
>Rational software
>IBM Corporation
>550 King Street, Littleton, MA 01460-1250
>1-978-899-4705
>2-276-4705 (T/L)
>lainhart at us.ibm.com
>
>_______________________________________________
>Openid-specs-ab mailing list
>Openid-specs-ab at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140120/c204a301/attachment.html>

More information about the Openid-specs-ab mailing list