[Openid-specs-ab] Frontchannel logout: logging out when no iss is provided

Tangui Le Pense tangui.lepense at mail.ru
Sat Oct 31 10:15:58 UTC 2020


I’m a bit late to the party, so sorry if these points have already been 
discussed.
I’m currently implementing frontchannel logout 
(https://openid.net/specs/openid-connect-frontchannel-1_0-04.html) in an 
RP and in case `iss` (and `sid`) is not provided when the OP hits the 
frontchannel logout URI, I was wondering:
- can’t any site open this URI in a iframe and trigger logout? A site 
periodically refreshing such a malicious iframe would result in kind of 
a DOS attack. If the RP is not capable of temporarily saving form data, 
it could be even more annoying for the user experiencing data loss. 
Sure, if it that happens, the RP will redirect to the OP which will 
probably seamlessly redirect back to the RP with an new ID token. But 
this is not documented as a security risk or anywhere else, which is why 
I’m wondering if I’ve just missed something here
- if the RP can have several sessions opened from different OPs, how can 
the RP know which OP to logout from? For now I’m sticking to a «kill all 
sessions» approach, but it’s not satisfying
Best,
-- 
Tangui


More information about the Openid-specs-ab mailing list