[Openid-specs-ab] Concerns regarding id_token_hint and HTTP GET in OIDC RP-Initiated Logout Specification
Yasas Ramanayaka
yasasramanayaka at gmail.com
Fri Sep 15 02:45:41 UTC 2023
Hi all,
I am reaching out to seek guidance on some specific aspects of the OIDC
RP-initiated logout specification[1], particularly related to the use of
the id_token_hint parameter and the requirement for OpenID Providers (OP)
to support the HTTP GET method at the logout endpoint.
The specification recommends the use of the id_token_hint parameter when
initiating logout requests and mandates support for the HTTP GET method at
the logout endpoint. However, this combination presents a risk of exposing
Personally Identifiable Information (PII). Given that GET request
parameters are often recorded in server access logs, PII user data
encapsulated in the ID token could be logged, creating potential GDPR
compliance issues.
Given this context, I would greatly appreciate your insights on whether the
specification's endorsement of id_token_hint with HTTP GET still holds as a
best practice, considering the potential PII leakage risks involved
And also has any other implementer run into similar PII leakage concerns
while implementing this? If so, I'd love to hear how you navigated around
them.
[1] - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
Thank you.
Regards,
Yasas.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230915/242856a5/attachment.html>
More information about the Openid-specs-ab
mailing list