[Openid-specs-ab] Issue #1492: RP-Initiated Logout specification and the back channel (openid/connect)

[Andrii Deinega]

New issue 1492: RP-Initiated Logout specification and the back channel
https://bitbucket.org/openid/connect/issues/1492/rp-initiated-logout-specification-and-the

Andrii Deinega:

A common scenario for Web applications is to have their own session mechanisms. Among all other things, these mechanisms allow specifying the maximum and idle session timeouts. For example, the Apache Tomcat session times out after 30 minutes by default.

From the security posture, the information about session timeouts from RPs is useful because it allows invalidating the user’s session on the OP side \(and ATs\) once there aren’t any other active sessions anymore. That happens, for example, when a user turns off his laptop and goes home. There could be a number of other good reasons for the OP to know that the user doesn’t use a particular RP anymore.

Right now, the specification makes an emphasis on the front channel

> An RP requests that the OP log out the End-User by redirecting the End-User's User Agent to the OP's Logout Endpoint.

and allows using both HTTP `GET` or `POST` methods to send the logout request to the OP which is great.

Although, it’s technically possible for the RP to request the OP to log out the user using the backchannel when his session times out \(using the POST request\). It’s impossible to say whether this use case was considered before but if the WG finds it to be a legit one, I suggest outlining it and/or changing the wording for the RP-Initiated Logout section.