<div dir="ltr"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Hi all,</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">I am reaching out to seek guidance on some specific aspects of the OIDC RP-initiated logout specification[1], particularly related to the use of the id_token_hint parameter and the requirement for OpenID Providers (OP) to support the HTTP GET method at the logout endpoint.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The specification recommends the use of the id_token_hint parameter when initiating logout requests and mandates support for the HTTP GET method at the logout endpoint. However, this combination presents a risk of exposing Personally Identifiable Information (PII). Given that GET request parameters are often recorded in server access logs, PII user data encapsulated in the ID token could be logged, creating potential GDPR compliance issues.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Given this context, I would greatly appreciate your insights on whether the specification's endorsement of id_token_hint with HTTP GET still holds as a best practice, considering the potential PII leakage risks involved</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">And also has any other implementer run into similar PII leakage concerns while implementing this? If so, I'd love to hear how you navigated around them.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1] - </span><a href="https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout" target="_blank" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout</span></a></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Thank you.</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Regards,</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Yasas.</p></div>