[Openid-specs-ab] Issue #1605: Back-Channel Logout Request: Specify to handle timed out requests / offline RPs (openid/connect)
Erik Tesar
issues-reply at bitbucket.org
Sat Aug 20 09:43:52 UTC 2022
New issue 1605: Back-Channel Logout Request: Specify to handle timed out requests / offline RPs
https://bitbucket.org/openid/connect/issues/1605/back-channel-logout-request-specify-to
Erik Tesar:
After reading the current \(and almost final!\) draft, as an implementer I am not sure how to handle cases where the OP wants to send a HTTP request to the RP with the Logout Token \(as defined in section 2.5\) but fails because the connection times out. There are many possible reasons why something like this could happen, for example, if the RP has an outage.
Currently, the draft does not specify how to handle these cases and this could \(and almost certainly will\) lead to inconsistent behavior between implementations. If I were to implement the draft, I would find it reasonable to try to send the request again after some time since a logout is a pretty important event. But I think it would also reasonable to not re-send the logout event.
In my opinion, the spec must clearly state how to handle these cases to prevent inconsistent behavior and wrong assumptions across implementations.
More information about the Openid-specs-ab
mailing list