[Openid-specs-ab] Section 5: end_session endpoint and state parm
Todd W Lainhart
lainhart at us.ibm.com
Fri Jan 31 22:31:32 UTC 2014
I think that I raised this in last Monday's call, and John countered, but
I'm not remembering the details of his counter. Perhaps something to do
with post_logout_redirect_uri registrations and exact match, and the
expectation that the RP will just show a logout page.
In discussing this with a colleague, we're considering augmenting our
implementation to say that the RP can pass in a state parm that will be
returned to the RP in the post_logout_redirect_uri callback. The scenario
he describes is the following:
"When you have a "Sign Out" button on the banner of all your resource
server's unprotected and protected web pages, the user might want to
return to the page after signing out. This is not possible currently. A
state parameter passed to the end session endpoint and passed back as a
parameter to the post_logout_redirect_uri would make this possible."
The presumption is that the RP is encoding a return URI in this value,
similar to guidance given in the authorization code flow.
Can anyone see a problem to this approach, and if not, does it make sense
to augment Section 5 of the mgmt. spec?
Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140131/fa56780a/attachment.html>
More information about the Openid-specs-ab
mailing list