[Openid-specs-ab] Issue #1032: rp-initiated logout - proposal for client_id parameter (openid/connect)

Filip Skokan issues-reply at bitbucket.org
Fri Jul 20 08:10:50 UTC 2018


New issue 1032: rp-initiated logout - proposal for client_id parameter
https://bitbucket.org/openid/connect/issues/1032/rp-initiated-logout-proposal-for-client_id

Filip Skokan:

I'd like to request that a parameter (optional or required?) client_id is defined for rp-initiated logout request.

rationale:

Currently the id_token_hint is the only way of identifying the client that's making the request. In scenarios where a client does not yet have an id_token but makes a request to authenticate which fails (e.g. due to being requested with essential sub claim through claims) the next step will be to trigger an rp initiated logout with a registered post_logout_redirect_uri but without an id_token_hint. This can be problematic for OP deployments with a high number of clients as it is not efficient or sometimes even not possible to iterate over all of them to see if this post_logout_redirect_uri is whitelisted or not. Hence the client_id parameter to make this lookup possible and efficient.

Further processing may be defined such as if both client_id and id_token_hint are provided the audience of the id_token_hint must include the client_id etc.




More information about the Openid-specs-ab mailing list