[Openid-specs-ab] Spec Call Notes 21-Jun-18

[George Fletcher]

I reviewed the docs and there is discussion of this issue already 
present that I missed.

Section 5 (RP-Initiated Logout) from the Session Management spec 
RECOMMENDS use of the id_token_hint and ends the section with a 
statement that the OP should ask the user if they want to logout of the 
OP or not.

Section 8 (Security Considerations) from the Session Management spec 
calls out that "Logout requests without a valid 'id_token_hint' value 
are a potential means of denial of service; therefore, OPs may want to 
require explicit user confirmation before acting upon them."

Section 1 (Introduction) from the Front-Channel logout spec identifies 
that the spec reuses the RP-Initiated Logout functionality from the 
Session Management spec.

All the basis are covered, though it's easy to miss. I don't know if 
what we have is sufficient or we should add more text.

The only normative change we could make that might make things easier 
for RPs, now that session id is defined, would be to update Section 5 of 
the Session Management spec to allow for specification of the session-id 
instead of the id_token.

Thoughts?

Thanks,
George

On 6/21/18 10:48 AM, Mike Jones via Openid-specs-ab wrote:
>
> Unauthenticated Logout Requests
>
> ������������� George will file an issue proposing Security 
> Considerations language about denial of service attacks using 
> front-channel logout
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180622/bdc775ac/attachment.html>