[Openid-specs-ab] Issue #1032: rp-initiated logout - proposal for client_id parameter (openid/connect)

Vladimir Dzhuvinov vladimir at connect2id.com
Fri Jul 20 11:01:29 UTC 2018


Hi Filip,

My concern is that relying on the client_id opens up post logout
redirection to potential misuse.

IMO the OP shouldn't be picking any redirections if cannot be sure, to a
satisfactory degree, that it's the legitimate RP making the call.

The ID token isn't really a substitute for proper RP authentication, but
it's some way towards that.

A JWS request might help here, but it's probably too much to ask from RPs.

Vladimir


On 20/07/18 11:10, Filip Skokan via Openid-specs-ab wrote:
> New issue 1032: rp-initiated logout - proposal for client_id parameter
> https://bitbucket.org/openid/connect/issues/1032/rp-initiated-logout-proposal-for-client_id
>
> Filip Skokan:
>
> I'd like to request that a parameter (optional or required?) client_id is defined for rp-initiated logout request.
>
> rationale:
>
> Currently the id_token_hint is the only way of identifying the client that's making the request. In scenarios where a client does not yet have an id_token but makes a request to authenticate which fails (e.g. due to being requested with essential sub claim through claims) the next step will be to trigger an rp initiated logout with a registered post_logout_redirect_uri but without an id_token_hint. This can be problematic for OP deployments with a high number of clients as it is not efficient or sometimes even not possible to iterate over all of them to see if this post_logout_redirect_uri is whitelisted or not. Hence the client_id parameter to make this lookup possible and efficient.
>
> Further processing may be defined such as if both client_id and id_token_hint are provided the audience of the id_token_hint must include the client_id etc.
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4002 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180720/00f40e94/attachment.p7s>


More information about the Openid-specs-ab mailing list