[Openid-specs-ab] end_session endpoint parameter specs

Todd W Lainhart lainhart at us.ibm.com
Fri Jan 17 21:45:09 UTC 2014


Last week I filed:

https://bitbucket.org/openid/connect/issue/914/session-5-missing-client_id-parameter

...where I stated that a required client_id parm was missing that allowed 
for the verification of the post_logout_uri value.  I've implemented this 
endpoint, and I think that I see that this parm may not be necessary.

Section 5 of the session mgmt. spec says this:

//===========
This specification also defines the following parameters that are passed 
as query parameters in the logout request:
id_token_hint
RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a 
hint about the End-User's current authenticated session with the Client. 
This is used as an indication of the identity of the End-User that the RP 
is requesting be logged out by the OP. The OP need not be listed as an 
audience of the ID Token when it is used as an id_token_hint value.
post_logout_redirect_uri
OPTIONAL. URL to which the RP is requesting that the End-User's User Agent 
be redirected after a logout has been performed. The value MUST have been 
previously registered with the OP, either using the 
post_logout_redirect_uris Registration parameter or via another mechanism. 
If supplied, the OP SHOULD honor this request following the logout.


//===========

I would reword these definitions to say something along the following 
lines:

post_logout_redirect_uri  OPTIONAL.  The URL to which the RP is requesting 
that the End-User's User Agent be redirected to after the logout has been 
performed.  The value MUST have been previously registered with the OP, 
either using the post_logout_redirect_uris Registration parameter or via 
another mechanism.  If supplied, id_token_hint MUST be specified.

id_token_hint REQUIRED if "post_logout_redirect_uri" is specified, 
otherwise RECOMMENDED.  The previously issued ID Token passed to the 
logout endpoint as a hint about the End-User's current authenticated 
session with the Client. This is used as an indication of the identity of 
the End-User that the RP is requesting be logged out by the OP. If 
"post_logout_redirect_uri" is specified, then the "aud" member of this 
token MUST be a single element, and MUST be the client_id to which the 
specified "post_logout_redirect_uri" is registered.

Additionally, a decision should be made as to whether a state parameter 
should be included that can be round-tripped via the 
post_logout_redirect_uri.  Either that, or the value of the id_token_hint 
parm is returned via the post_logout_redirect_uri redirect.

The implication of this is that the end_session_endpoint can be called 
with no parameters, an id_token_hint, or both id_token_hint and 
post_logout_redirect_uri.






Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140117/fb6a43c2/attachment.html>


More information about the Openid-specs-ab mailing list