[Openid-specs-ab] Issue #1032: rp-initiated logout - proposal for client_id parameter (openid/connect)
vladimir at connect2id.com
Fri Jul 20 11:01:29 UTC 2018
My concern is that relying on the client_id opens up post logout
redirection to potential misuse.
IMO the OP shouldn't be picking any redirections if cannot be sure, to a
satisfactory degree, that it's the legitimate RP making the call.
The ID token isn't really a substitute for proper RP authentication, but
it's some way towards that.
A JWS request might help here, but it's probably too much to ask from RPs.
On 20/07/18 11:10, Filip Skokan via Openid-specs-ab wrote:
> New issue 1032: rp-initiated logout - proposal for client_id parameter
> Filip Skokan:
> I'd like to request that a parameter (optional or required?) client_id is defined for rp-initiated logout request.
> Currently the id_token_hint is the only way of identifying the client that's making the request. In scenarios where a client does not yet have an id_token but makes a request to authenticate which fails (e.g. due to being requested with essential sub claim through claims) the next step will be to trigger an rp initiated logout with a registered post_logout_redirect_uri but without an id_token_hint. This can be problematic for OP deployments with a high number of clients as it is not efficient or sometimes even not possible to iterate over all of them to see if this post_logout_redirect_uri is whitelisted or not. Hence the client_id parameter to make this lookup possible and efficient.
> Further processing may be defined such as if both client_id and id_token_hint are provided the audience of the id_token_hint must include the client_id etc.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4002 bytes
Desc: S/MIME Cryptographic Signature
More information about the Openid-specs-ab