[Openid-specs-ab] Issue #1549: [RP-Initiated Logout] End-user has no session with the OP, what action to take in regard to post logout redirect and back / front-channel notifications? (openid/connect)

Wed Jul 13 06:02:01 UTC 2022

New issue 1549: [RP-Initiated Logout] End-user has no session with the OP, what action to take in regard to post logout redirect and back / front-channel notifications?
https://bitbucket.org/openid/connect/issues/1549/rp-initiated-logout-end-user-has-no

Vladimir Dzhuvinov:

The course of action the OP must take in regard to a valid `post_logout_redirect_uri` and any back / front-channel notifications for the requesting RP is currently not well specified when the OP has no session for the end-user:

1. Should the OP still act upon the `post_logout_redirect_uri` ?
2. If the requesting RP is registered for back / front channel notifications - should the OP dispatch them?

If the RP presented a valid `id_token_hint` - does this change anything in regard to \(1\) and \(2\)?

If we assume “no user session at the OP” is to mean error, section 4 seems to suggest that all action should be aborted, save for giving the end-user the choice to log out from the OP:

[https://openid.net/specs/openid-connect-rpinitiated-1\_0.html#ValidationAndErrorHandling](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling)