<div dir="ltr">Hi all,<div><br></div><div>Thank you for the suggestions, yes we can use encrypted ID tokens to mitigate the risk. The other thing is I've observed a common pattern among many third-party client authentication libraries, including oidc-client-ts, Android/iOS AppAuth, node-openid-client, and flutter_appauth. These libraries typically offer a pre-built logout method that initiates GET requests to the OP. As a result, RP applications that utilize these libraries (which I think is a significant amount) will be sending GET requests when handling logouts.</div><div><br></div><div>Regards,</div><div>Yasas.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Sep 16, 2023 at 3:31 AM Andrii Deinega via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Yasas,<div><br></div><div>You can also always use encrypted ID tokens, right? This way, the PII data won't be "exposed" in log files of any network intermediates regardless of what you are using; the POST or GET HTTP method.</div><div><br></div><div>I would never use the GET method with the id_token_hint query parameter for the Logout Endpoint because of the size limits for GET requests.</div><div><br></div><div>Regards,</div><div>Andrii </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 15, 2023 at 9:28 AM Vladimir Dzhuvinov via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi Yasas,</p>
<p>The RP should use POST in this case. The POST method must be
supported by OpenID providers:</p>
<p>
</p><blockquote type="cite">OpenID Providers MUST support the use of
the HTTP <tt>GET</tt> and <tt>POST</tt> methods defined in <a href="https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RFC7231" target="_blank">RFC
7231</a> [RFC7231] at the Logout Endpoint. RPs MAY use the
HTTP <tt>GET</tt> or <tt>POST</tt> methods to send the logout
request to the OP. If using the HTTP <tt>GET</tt> method, the
request parameters are serialized using URI Query String
Serialization. If using the HTTP <tt>POST</tt> method, the
request parameters are serialized using Form Serialization. </blockquote>
<p></p>
<p><br>
</p>
<pre cols="72">Vladimir Dzhuvinov</pre>
<div>On 15/09/2023 05:45, Yasas Ramanayaka
via Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Hi
all,</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">I
am reaching out to seek guidance on some specific aspects of
the OIDC RP-initiated logout specification[1], particularly
related to the use of the id_token_hint parameter and the
requirement for OpenID Providers (OP) to support the HTTP
GET method at the logout endpoint.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The
specification recommends the use of the id_token_hint
parameter when initiating logout requests and mandates
support for the HTTP GET method at the logout endpoint.
However, this combination presents a risk of exposing
Personally Identifiable Information (PII). Given that GET
request parameters are often recorded in server access logs,
PII user data encapsulated in the ID token could be logged,
creating potential GDPR compliance issues.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Given
this context, I would greatly appreciate your insights on
whether the specification's endorsement of id_token_hint
with HTTP GET still holds as a best practice, considering
the potential PII leakage risks involved</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">And
also has any other implementer run into similar PII leakage
concerns while implementing this? If so, I'd love to hear
how you navigated around them.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1]
- </span><a href="https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout" style="text-decoration-line:none" target="_blank"><span style="font-size:11pt;font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout</span></a></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Thank
you.</p>
<p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Regards,</p>
<p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Yasas.</p>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>