[Openid-specs-ab] OpenID Connect Logout using HTTP GET
John Bradley
ve7jtb at ve7jtb.com
Sun Feb 15 19:34:22 UTC 2015
Both
forcing a user to logout of a RP might also be used as part of a larger phishing attack, especially if the IdP returns the user to the bad guys landing page by redirecting to the post_logout_redirect_uri.
That redirect URI needs to be registered but without authenticating the RP via having a id_token for the user Bad RP A could log the user out of all sessions and redirect the user to itself, without the user currently being logged in.
Without the id_token all the IdP can do is log the user out of all sessions.
Though when we start talking about IdP session management things get a bit fuzzy, Many IdP will automatically log the user back in to a RP if they are still logged in to the IdP, the IdP may not have any real notion of state per RP connection.
John B.
On Feb 15, 2015, at 1:29 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>
>
> against the RP or the user?
>
> Am 15.02.2015 um 17:22 schrieb John Bradley:
>> It might be used as a denial of service via xsrf.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150215/111c0301/attachment.p7s>
More information about the Openid-specs-ab
mailing list