[Openid-specs-ab] Issue #842: Session 5.1 - Make post_logout_redirect_uri treatment more parallel to redirect_uri (openid/connect)
issues-reply at bitbucket.org
Fri May 31 17:02:30 UTC 2013
New issue 842: Session 5.1 - Make post_logout_redirect_uri treatment more parallel to redirect_uri
Currently, multiple redirect_uri values can be pre-registered, but only one post_logout_redirect_uri. Also, currently the redirect_uri value to be used must be explicitly passed to the OP, but the OP is expected to implicitly look up the registered post_logout_redirect_uri value and use it.
I am aware of a use case in which multiple post_logout_redirect_uri values are necessary. The RP is willing to pass the value to be used as an explicit parameter. I'll note that passing an explicit parameter would also be aligned with what WS-Federation does.
I propose that we change the post_logout_redirect_uri behavior to be parallel with that of redirect_uri in the manner described above. If a post_logout_redirect_uri is not passed by the RP to the OP at logout time, the OP would not perform any redirection, and would retain control of the browser session.
More information about the Openid-specs-ab