[Openid-specs-ab] Concerns regarding id_token_hint and HTTP GET in OIDC RP-Initiated Logout Specification
Vladimir Dzhuvinov
vladimir at connect2id.com
Fri Sep 15 16:18:10 UTC 2023
Hi Yasas,
The RP should use POST in this case. The POST method must be supported
by OpenID providers:
> OpenID Providers MUST support the use of the HTTP GET and POST methods
> defined in RFC 7231
> <https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RFC7231>
> [RFC7231] at the Logout Endpoint. RPs MAY use the HTTP GET or POST
> methods to send the logout request to the OP. If using the HTTP GET
> method, the request parameters are serialized using URI Query String
> Serialization. If using the HTTP POST method, the request parameters
> are serialized using Form Serialization.
Vladimir Dzhuvinov
On 15/09/2023 05:45, Yasas Ramanayaka via Openid-specs-ab wrote:
>
> Hi all,
>
>
> I am reaching out to seek guidance on some specific aspects of the
> OIDC RP-initiated logout specification[1], particularly related to the
> use of the id_token_hint parameter and the requirement for OpenID
> Providers (OP) to support the HTTP GET method at the logout endpoint.
>
>
> The specification recommends the use of the id_token_hint parameter
> when initiating logout requests and mandates support for the HTTP GET
> method at the logout endpoint. However, this combination presents a
> risk of exposing Personally Identifiable Information (PII). Given that
> GET request parameters are often recorded in server access logs, PII
> user data encapsulated in the ID token could be logged, creating
> potential GDPR compliance issues.
>
>
> Given this context, I would greatly appreciate your insights on
> whether the specification's endorsement of id_token_hint with HTTP GET
> still holds as a best practice, considering the potential PII leakage
> risks involved
>
>
> And also has any other implementer run into similar PII leakage
> concerns while implementing this? If so, I'd love to hear how you
> navigated around them.
>
>
> [1] -
> https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
> <https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout>
>
>
>
> Thank you.
>
> Regards,
>
> Yasas.
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230915/a78405b4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4007 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230915/a78405b4/attachment-0001.p7s>
More information about the Openid-specs-ab
mailing list