[Openid-specs-ab] Issue #837: Session - 5. Add id_token to the RP initiated logout request (openid/connect)

Nat Sakimura issues-reply at bitbucket.org
Tue May 28 21:02:29 UTC 2013


New issue 837: Session - 5. Add id_token to the RP initiated logout request
https://bitbucket.org/openid/connect/issue/837/session-5-add-id_token-to-the-rp-initiated

Nat Sakimura:

Rationale: 
The draft does not specify any parameters to send to the end_session_endpoint right now. This makes it difficult for the OP to select which session to be logged out when the user has multiple sessions at the OP. 

Current: 

Sometimes, the RP may want to notify the OP that the user has logged out of the site, and may want to log out of the OP as well. In this case, the RP, after having logged the user out of the RP, sends the user to the OP's logout endpoint URL. This URL is normally obtained via the end_session_endpoint element of the OP's Discovery response, or may be learned via other mechanisms.

Proposal: 

Sometimes, the RP may want to notify the OP that the user has logged out of the site, and may want to log out of the OP as well. In this case, the RP, after having logged the user out of the RP, sends the user to the OP's logout endpoint URL with the following parameters: 

    * id_token  OPTIONAL. The ID Token of the user to be logged out of the OP. 

The OP's logout endpoint URL is normally obtained via the end_session_endpoint element of the OP's Discovery response, or may be learned via other mechanisms.





More information about the Openid-specs-ab mailing list