[Openid-specs-ab] session management - front channel logout - expired id_token hint

[Phil Hunt]

A question has arisen based on differences observed in multiple implementations.

When executing front channel logout per the session management spec it is unclear what the response should be if “id_token_hint” contains an expired token.  The processing rules allow you to ignore audience but they say nothing about an expired token.

id_token_hint
RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an id_token_hint value.

Section 6 says…
"If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used."

The problem is, the spec never calls for the token to be validated but it does say you can skip the audience.

In this case what is the correct response?  It seems like an error should be returned.  Though killing an expired session doesn’t seem like much more than a no-op.  It seems like this would provide better UX.

The concern is that if accepted it might be used as a DoS attack to cause the redirect url to be invoked when it shouldn’t.

Phil Hunt | OCI IDCS Cloud Identity & Security Architect
Oracle Corporation, Oracle Cloud Infrastructure
@independentid
www.independentid.com
phil.hunt at oracle.com









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190830/3c2e0bb8/attachment.html>