<div dir="ltr">Hi Yasas,<div><br></div><div>You can also always use encrypted ID tokens, right? This way, the PII data won't be "exposed" in log files of any network intermediates regardless of what you are using; the POST or GET HTTP method.</div><div><br></div><div>I would never use the GET method with the id_token_hint query parameter for the Logout Endpoint because of the size limits for GET requests.</div><div><br></div><div>Regards,</div><div>Andrii </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 15, 2023 at 9:28 AM Vladimir Dzhuvinov via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

  <div>

    <p>Hi Yasas,</p>

    <p>The RP should use POST in this case. The POST method must be

      supported by OpenID providers:</p>

    <p>

      </p><blockquote type="cite">OpenID Providers MUST support the use of

        the HTTP <tt>GET</tt> and <tt>POST</tt> methods defined in <a href="https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RFC7231" target="_blank">RFC

          7231</a> [RFC7231] at the Logout Endpoint. RPs MAY use the

        HTTP <tt>GET</tt> or <tt>POST</tt> methods to send the logout

        request to the OP. If using the HTTP <tt>GET</tt> method, the

        request parameters are serialized using URI Query String

        Serialization. If using the HTTP <tt>POST</tt> method, the

        request parameters are serialized using Form Serialization. </blockquote>

    <p></p>

    <p><br>

    </p>

    <pre cols="72">Vladimir Dzhuvinov</pre>

    <div>On 15/09/2023 05:45, Yasas Ramanayaka

      via Openid-specs-ab wrote:<br>

    </div>

    <blockquote type="cite">

      <div dir="ltr">

        <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Hi

            all,</span></p>

        <br>

        <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">I

            am reaching out to seek guidance on some specific aspects of

            the OIDC RP-initiated logout specification[1], particularly

            related to the use of the id_token_hint parameter and the

            requirement for OpenID Providers (OP) to support the HTTP

            GET method at the logout endpoint.</span></p>

        <br>

        <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The

            specification recommends the use of the id_token_hint

            parameter when initiating logout requests and mandates

            support for the HTTP GET method at the logout endpoint.

            However, this combination presents a risk of exposing

            Personally Identifiable Information (PII). Given that GET

            request parameters are often recorded in server access logs,

            PII user data encapsulated in the ID token could be logged,

            creating potential GDPR compliance issues.</span></p>

        <br>

        <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Given

            this context, I would greatly appreciate your insights on

            whether the specification's endorsement of id_token_hint

            with HTTP GET still holds as a best practice, considering

            the potential PII leakage risks involved</span></p>

        <br>

        <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">And

            also has any other implementer run into similar PII leakage

            concerns while implementing this? If so, I'd love to hear

            how you navigated around them.</span></p>

        <br>

        <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1]

            - </span><a href="https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout" style="text-decoration-line:none" target="_blank"><span style="font-size:11pt;font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout</span></a></p>

        <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br>

        </p>

        <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br>

        </p>

        <p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Thank

          you.</p>

        <p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Regards,</p>

        <p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Yasas.</p>

      </div>

      <br>

      <fieldset></fieldset>

      <pre>_______________________________________________

Openid-specs-ab mailing list

<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>

<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>

</pre>

    </blockquote>

  </div>

_______________________________________________<br>

Openid-specs-ab mailing list<br>

<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>

<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>

</blockquote></div>