<div dir="ltr">(adding the WG mailing list this oldish thread from the interop list <a href="https://groups.google.com/forum/#!topic/openid-connect-interop/lcvz7EXcUJ4" target="_blank">https://groups.google.com/forum/#!topic/openid-connect-interop/lcvz7EXcUJ4</a>)<br><br>"If the RP doesn't send you an id_token_hint to authenticate its
identity, the simple thing (and probably the best thing) to do is to not
do a post-logout redirect." -> if that's the expected/intended behavior, the spec should say so<br><br>"The problem with sending a client_id is that it's not a secret. Anyone
can spoof it, so it has no value in authenticating the client." -> that's true but the same mechanism is used in OAuth/Connect at the authorization endpoint to identify the client and determine allowed redirect URI(s). Why is it different here?<br><br><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 17, 2015 at 2:55 PM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">If the RP doesn't send you an id_token_hint to authenticate its identity, the simple thing (and probably the best thing) to do is to not do a post-logout redirect. The problem with sending a client_id is that it's not a secret. Anyone can spoof it, so it has no value in authenticating the client.<br>
<span><font color="#888888"><br>
-- Mike<br>
</font></span><div><div><br>
-----Original Message-----<br>
From: <a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a> [mailto:<a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a>] On Behalf Of Clément OUDOT<br>
Sent: Friday, April 17, 2015 1:01 AM<br>
To: <a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a><br>
Subject: Re: [openid-connect-session] Checking post_logout_request_uri<br>
<br>
2015-04-16 21:31 GMT+02:00 Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>>:<br>
> This question (or very close) has come up before. It sure seems like<br>
> something needs to be added or adjusted or clarified in the spec.<br>
><br>
> If a request is received at the end_session_endpoint with only<br>
> post_logout_redirect_uri and state parameters, what should the OP do?<br>
> Is that an error condition? Are the parameters just ignored? Is the<br>
> expectation that the calling client be looked up based on the<br>
> post_logout_redirect_uri (I'm guessing some OP/AS implementations<br>
> won't want to index on the value just to support sending the user back somewhere after maybe logging out)?<br>
><br>
> What if a client wants to use post_logout_redirect_uri but doesn't<br>
> want to hold onto the id token in order to use it as an id_token_hint?<br>
> Or doesn't like the idea of passing id tokens around as parameters?<br>
><br>
> Does the id_token_hint mean that, to use John's words, "it is a trusted RP"?<br>
> Nothing says that that I see. It mostly just talks about being a "hint<br>
> about the End-User's current authenticated session with the Client."<br>
> What if it's expired? What if it's encrypted? Should the signature<br>
> verify? What if keys have rotated so as to make signature verification<br>
> impossible? If there is a problem, should the client be informed of<br>
> the error? Or the user? Or ignore it and move on?<br>
><br>
> I feel like a different set of questions come to mind each time I read<br>
> this bit of the spec. That's what came to mind today.<br>
<br>
<br>
I agree, so why not just change the specification (it is still a<br>
draft) to require client_id (if redirection is asked) as GET parameter of the logout request?<br>
<br>
<br>
Clément.<br>
<br>
--<br>
You received this message because you are subscribed to the Google Groups "OpenID Connect Interop" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:openid-connect-interop%2Bunsubscribe@googlegroups.com" target="_blank">openid-connect-interop+unsubscribe@googlegroups.com</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank">https://groups.google.com/d/optout</a>.<br>
<br>
--<br>
You received this message because you are subscribed to the Google Groups "OpenID Connect Interop" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:openid-connect-interop%2Bunsubscribe@googlegroups.com" target="_blank">openid-connect-interop+unsubscribe@googlegroups.com</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank">https://groups.google.com/d/optout</a>.<br>
</div></div></blockquote></div><br></div></div>