[Openid-specs-ab] Issue #1032: rp-initiated logout - proposal for client_id parameter (openid/connect)

Filip Skokan panva.ip at gmail.com
Fri Jul 20 11:16:52 UTC 2018


Hello Vladimir,

The OP is advised to render a prompt for the end-user in those cases where
post_logout_redirect_uri is not provided. And there's no mention of
ignoring the post_logout_redirect_uri param if id_token_hint is missing.

Currently:

> post_logout_redirect_uri
> OPTIONAL. URL to which the RP is requesting that the End-User's User Agent
> be redirected after a logout has been performed. The value MUST have been
> previously registered with the OP, either using the
> post_logout_redirect_uris Registration parameter or via another mechanism.
> If supplied, the OP SHOULD honor this request following the logout.


No mention of ignoring the value if id_token_hint is not provided.

and under security considerations, the advise to prompt.

The id_token_hint parameter to a logout request can be used to determine
> which RP initiated the logout request. Logout requests without a valid
> id_token_hint value are a potential means of denial of service; therefore,
> OPs may want to require explicit user confirmation before acting upon them.


Supplying a client_id does not change a potential extra OP policy that
id_token_hint must be provided if it choses to do so, it simply makes
post_logout_redirect_uri lookup possible in cases where loading all uris or
clients into memory is not possible/is inefficient or can't query for all
valid uris for the same reasons.

Best,
*Filip*


On Fri, Jul 20, 2018 at 1:01 PM Vladimir Dzhuvinov via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi Filip,
>
> My concern is that relying on the client_id opens up post logout
> redirection to potential misuse.
>
> IMO the OP shouldn't be picking any redirections if cannot be sure, to a
> satisfactory degree, that it's the legitimate RP making the call.
>
> The ID token isn't really a substitute for proper RP authentication, but
> it's some way towards that.
>
> A JWS request might help here, but it's probably too much to ask from RPs.
>
> Vladimir
>
>
> On 20/07/18 11:10, Filip Skokan via Openid-specs-ab wrote:
> > New issue 1032: rp-initiated logout - proposal for client_id parameter
> >
> https://bitbucket.org/openid/connect/issues/1032/rp-initiated-logout-proposal-for-client_id
> >
> > Filip Skokan:
> >
> > I'd like to request that a parameter (optional or required?) client_id
> is defined for rp-initiated logout request.
> >
> > rationale:
> >
> > Currently the id_token_hint is the only way of identifying the client
> that's making the request. In scenarios where a client does not yet have an
> id_token but makes a request to authenticate which fails (e.g. due to being
> requested with essential sub claim through claims) the next step will be to
> trigger an rp initiated logout with a registered post_logout_redirect_uri
> but without an id_token_hint. This can be problematic for OP deployments
> with a high number of clients as it is not efficient or sometimes even not
> possible to iterate over all of them to see if this
> post_logout_redirect_uri is whitelisted or not. Hence the client_id
> parameter to make this lookup possible and efficient.
> >
> > Further processing may be defined such as if both client_id and
> id_token_hint are provided the audience of the id_token_hint must include
> the client_id etc.
> >
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180720/43cba25d/attachment-0001.html>


More information about the Openid-specs-ab mailing list