[Openid-specs-ab] Concerns regarding id_token_hint and HTTP GET in OIDC RP-Initiated Logout Specification

Sat Sep 16 10:37:59 UTC 2023

Hi all,

Thank you for the suggestions, yes we can use encrypted ID tokens
to mitigate the risk. The other thing is I've observed a common pattern
among many third-party client authentication libraries, including
oidc-client-ts, Android/iOS AppAuth, node-openid-client, and
flutter_appauth. These libraries typically offer a pre-built logout method
that initiates GET requests to the OP. As a result, RP applications that
utilize these libraries (which I think is a significant amount) will be
sending GET requests when handling logouts.

Regards,
Yasas.

On Sat, Sep 16, 2023 at 3:31 AM Andrii Deinega via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi Yasas,
>
> You can also always use encrypted ID tokens, right? This way, the PII data
> won't be "exposed" in log files of any network intermediates regardless of
> what you are using; the POST or GET HTTP method.
>
> I would never use the GET method with the id_token_hint query parameter
> for the Logout Endpoint because of the size limits for GET requests.
>
> Regards,
> Andrii
>
> On Fri, Sep 15, 2023 at 9:28 AM Vladimir Dzhuvinov via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Hi Yasas,
>>
>> The RP should use POST in this case. The POST method must be supported by
>> OpenID providers:
>>
>> OpenID Providers MUST support the use of the HTTP GET and POST methods
>> defined in RFC 7231
>> <https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RFC7231>
>> [RFC7231] at the Logout Endpoint. RPs MAY use the HTTP GET or POST
>> methods to send the logout request to the OP. If using the HTTP GET
>> method, the request parameters are serialized using URI Query String
>> Serialization. If using the HTTP POST method, the request parameters are
>> serialized using Form Serialization.
>>
>>
>> Vladimir Dzhuvinov
>>
>> On 15/09/2023 05:45, Yasas Ramanayaka via Openid-specs-ab wrote:
>>
>> Hi all,
>>
>> I am reaching out to seek guidance on some specific aspects of the OIDC
>> RP-initiated logout specification[1], particularly related to the use of
>> the id_token_hint parameter and the requirement for OpenID Providers (OP)
>> to support the HTTP GET method at the logout endpoint.
>>
>> The specification recommends the use of the id_token_hint parameter when
>> initiating logout requests and mandates support for the HTTP GET method at
>> the logout endpoint. However, this combination presents a risk of exposing
>> Personally Identifiable Information (PII). Given that GET request
>> parameters are often recorded in server access logs, PII user data
>> encapsulated in the ID token could be logged, creating potential GDPR
>> compliance issues.
>>
>> Given this context, I would greatly appreciate your insights on whether
>> the specification's endorsement of id_token_hint with HTTP GET still holds
>> as a best practice, considering the potential PII leakage risks involved
>>
>> And also has any other implementer run into similar PII leakage concerns
>> while implementing this? If so, I'd love to hear how you navigated around
>> them.
>>
>> [1] -
>> https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
>>
>>
>>
>> Thank you.
>>
>> Regards,
>>
>> Yasas.
>>
>> _______________________________________________
>> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttps://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230916/3ce53401/attachment-0001.html>