[Openid-specs-ab] Issue #1184: Unclear what to do if id_token_hint user does not match currently logged in user at OP (openid/connect)

Mitar issues-reply at bitbucket.org
Tue Aug 18 06:20:11 UTC 2020


New issue 1184: Unclear what to do if id_token_hint user does not match currently logged in user at OP
https://bitbucket.org/openid/connect/issues/1184/unclear-what-to-do-if-id_token_hint-user

Mitar:

In our case we maintain user session at OP web origin \(a cookie\) which serves to authenticate the user once they arrive on OP web sites. We are implementing OpenID Connect RP-Initiated Logout so that RP can request logout from OP which in our case we intend to use to clear this cookie and logout the user from OP as well.

I would like to suggest that the spec is clearer what is indented/suggested behavior if RP requests logout for user A, but currently logged user into OP \(cookie set on OP’s web origin\) is for user B:

* Should OP just say “user A is not logged in anymore, great, let’s redirect back” and do not do anything about user B’s cookie.
* Should OP ask the user B if they want to be logged out and then redirect back.
* Should OP logout user B, ask for user A to be logged in, and then log out user A and redirect back?
* Should OP temporarily pretend that user A is logged in and ask them to confirm logging out and then redirect back?

So this can happen if human has multiple accounts on OP. And they logged in as user A into OP when RP was requesting the ID token. But then in meantime logged in in as user B into OP maybe for some other RP. And then first RP tries to logout, user A is not logged in into OP anymore.

The issue is that when human wants to log out from inside RP, there might be at least two options the human would prefer:

* They are using a public computer and when clicking log out inside RP they in fact want all sessions to be clear, both on RP and OP and they do not care really what is the user currently logged into OP.
* They are aware that OP has user B logged in, but they would just like to log out from the RP as user A, not the OP as well.

What would be some suggestion what to do here?




More information about the Openid-specs-ab mailing list