<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Yasas,</p>
<p>The RP should use POST in this case. The POST method must be
supported by OpenID providers:</p>
<p>
<blockquote type="cite">OpenID Providers MUST support the use of
the HTTP <tt>GET</tt> and <tt>POST</tt> methods defined in <a
class="info"
href="https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RFC7231">RFC
7231</a> [RFC7231] at the Logout Endpoint. RPs MAY use the
HTTP <tt>GET</tt> or <tt>POST</tt> methods to send the logout
request to the OP. If using the HTTP <tt>GET</tt> method, the
request parameters are serialized using URI Query String
Serialization. If using the HTTP <tt>POST</tt> method, the
request parameters are serialized using Form Serialization. </blockquote>
</p>
<p><br>
</p>
<pre class="moz-signature" cols="72">Vladimir Dzhuvinov</pre>
<div class="moz-cite-prefix">On 15/09/2023 05:45, Yasas Ramanayaka
via Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKihT2osKKQ5WHj8PB3tqU0PWbqv3_d=qCPMg4xNHyZgaz5e8Q@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Hi
all,</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">I
am reaching out to seek guidance on some specific aspects of
the OIDC RP-initiated logout specification[1], particularly
related to the use of the id_token_hint parameter and the
requirement for OpenID Providers (OP) to support the HTTP
GET method at the logout endpoint.</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The
specification recommends the use of the id_token_hint
parameter when initiating logout requests and mandates
support for the HTTP GET method at the logout endpoint.
However, this combination presents a risk of exposing
Personally Identifiable Information (PII). Given that GET
request parameters are often recorded in server access logs,
PII user data encapsulated in the ID token could be logged,
creating potential GDPR compliance issues.</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Given
this context, I would greatly appreciate your insights on
whether the specification's endorsement of id_token_hint
with HTTP GET still holds as a best practice, considering
the potential PII leakage risks involved</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">And
also has any other implementer run into similar PII leakage
concerns while implementing this? If so, I'd love to hear
how you navigated around them.</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1]
- </span><a
href="https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout"
target="_blank" style="text-decoration-line:none"
moz-do-not-send="true"><span
style="font-size:11pt;font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout</span></a></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Thank
you.</p>
<p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Regards,</p>
<p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Yasas.</p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</body>
</html>