Openid connect logout concern with encrypted id_token

[Piraveena Paralogarajah]

Hi all,

We have a requirement for using encrypted_id_token which is signed using
the application's certificate. But we have some issues when using
encrypted_id_tokens during OIDC logout.
.
Use Case is the following.

1.  An application is using encrypted id_token  due to security measures.
This id_token is encrypted using the application's certificate.
2.  Once log out from the application it needs to redirect the user to end
application
3.  To achieve 2; the application must send the plain text id_token as
id_token_hint.  Because the IDP is using td_token to identify the
application.

We could find the following possible solutions

1. Make  id_token_hint is not required to redirect to the application. But
we use id_token_hint to identify the RP-initiated-logout. From the
id_token_hint, we derive the client_id. What is the best approach to
identify the client during logout?

2. Ask from application to encrypt the decrypted token from
idp-certificate. Then in the logout flow, idp decrypts & verifies the
token.  This adds more overhead for application well.

Any thoughts on how to handle encrypted id_token_hint for OIDC logout?

Appreciate your suggestions on this.

Thank you for your time,
Piraveena
-- 
*Piraveena Paralogarajah*

*Blog:* https://medium.com/@piraveenaparalogarajah
*LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah
<https://www.linkedin.com/in/piraveena-paralogarajah>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20200709/2ea8b6c7/attachment.html>