[Openid-specs-ab] Issue #2157: OP RP-Initiated Logout and user's presence (openid/connect)

[Andrii Deinega]

New issue 2157: OP RP-Initiated Logout and user's presence
https://bitbucket.org/openid/connect/issues/2157/op-rp-initiated-logout-and-users-presence

Andrii Deinega:

[https://openid.net/specs/openid-connect-rpinitiated-1\_0.html#RPLogout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout) states clearly that

> An RP requests that the OP log out the End-User by redirecting the End-User's User Agent to the OP's Logout Endpoint

it would be a significant improvement from a security perspective if this spec, or a new specification \(extension\), allowed an RP to request the OP to log out a user without his presence \(when it’s permitted by the OP polices\). There are lots of cases where it’s impossible to redirect a user say when the user closes his laptop and goes home. For this sort of cases, it’s highly desirable to clearly communicate via a reliable backchannel to the OP: “hi, you know, I’ve logged this user off so that all new auth requests from him need to be authenticated again, and also please, invalidate his access token issued before to me“.

There are ways to handle this now:

1. use the token revocation endpoint \(so an RP can invalidate an AT\)
2. force a user to be authenticated for every authorization requests \(with the help of the prompt parameter set to login\)
3. rely on Shared Signals and Events Framework \(SSE\) & CAEP events

However, these methods have their downsides and don’t provide a simple, comprehensive solution.

Lastly, I discussed this use case a bit with Mike Jones at a recent IIW, and he suggested at least to fill an issue for tracking purposes.