[Openid-specs-ab] Concerns regarding id_token_hint and HTTP GET in OIDC RP-Initiated Logout Specification
Andrii Deinega
andrii.deinega at gmail.com
Fri Sep 15 22:00:40 UTC 2023
Hi Yasas,
You can also always use encrypted ID tokens, right? This way, the PII data
won't be "exposed" in log files of any network intermediates regardless of
what you are using; the POST or GET HTTP method.
I would never use the GET method with the id_token_hint query parameter for
the Logout Endpoint because of the size limits for GET requests.
Regards,
Andrii
On Fri, Sep 15, 2023 at 9:28 AM Vladimir Dzhuvinov via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> Hi Yasas,
>
> The RP should use POST in this case. The POST method must be supported by
> OpenID providers:
>
> OpenID Providers MUST support the use of the HTTP GET and POST methods
> defined in RFC 7231
> <https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RFC7231>
> [RFC7231] at the Logout Endpoint. RPs MAY use the HTTP GET or POST
> methods to send the logout request to the OP. If using the HTTP GET
> method, the request parameters are serialized using URI Query String
> Serialization. If using the HTTP POST method, the request parameters are
> serialized using Form Serialization.
>
>
> Vladimir Dzhuvinov
>
> On 15/09/2023 05:45, Yasas Ramanayaka via Openid-specs-ab wrote:
>
> Hi all,
>
> I am reaching out to seek guidance on some specific aspects of the OIDC
> RP-initiated logout specification[1], particularly related to the use of
> the id_token_hint parameter and the requirement for OpenID Providers (OP)
> to support the HTTP GET method at the logout endpoint.
>
> The specification recommends the use of the id_token_hint parameter when
> initiating logout requests and mandates support for the HTTP GET method at
> the logout endpoint. However, this combination presents a risk of exposing
> Personally Identifiable Information (PII). Given that GET request
> parameters are often recorded in server access logs, PII user data
> encapsulated in the ID token could be logged, creating potential GDPR
> compliance issues.
>
> Given this context, I would greatly appreciate your insights on whether
> the specification's endorsement of id_token_hint with HTTP GET still holds
> as a best practice, considering the potential PII leakage risks involved
>
> And also has any other implementer run into similar PII leakage concerns
> while implementing this? If so, I'd love to hear how you navigated around
> them.
>
> [1] -
> https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
>
>
>
> Thank you.
>
> Regards,
>
> Yasas.
>
> _______________________________________________
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttps://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230915/90c6822a/attachment.html>
More information about the Openid-specs-ab
mailing list