[Code] Openid connect logout concern with encrypted id_token

Piraveena Paralogarajah piraveena.14 at cse.mrt.ac.lk
Thu Jul 9 07:44:48 UTC 2020 

Hi Nat Sakimura,

Thanks for your suggestion. I have posted this to
openid-specs-ab at lists.openid.net

Thanks,
Piraveena

On Thu, 9 Jul 2020 at 12:37, Nat Sakimura <nat at nat.consulting> wrote:

> Hi
>
> It might be better for you to post this to the OpenID AB/C WG. There are
> more experts there. The list address is
>
> openid-specs-ab at lists.openid.net
>
> You need to sign the IPR agreement and subscribe to the list before
> posting but the IPR agreement is asking just you so not sure other
> implenters in implementing the spec so it shouldn't be hard.
>
> Best,
>
> Nat Sakimura
> Chairman, OpenID Foundation
> https://nat.sakimura.org
> 2020年7月9日 14:41 +0900、Piraveena Paralogarajah <piraveena.14 at cse.mrt.ac.lk
> >のメール:
>
> Hi all,
>
> We have a requirement for using encrypted_id_token which is signed using
> the application's certificate. But we have some issues when using
> encrypted_id_tokens during OIDC logout.
> .
> Use Case is the following.
>
> 1.  An application is using encrypted id_token  due to security measures.
> This id_token is encrypted using the application's certificate.
> 2.  Once log out from the application it needs to redirect the user to end
> application
> 3.  To achieve 2; the application must send the plain text id_token as
> id_token_hint.  Because the IDP is using td_token to identify the
> application.
>
> We could find the following possible solutions
>
> 1. Make  id_token_hint is not required to redirect to the application. But
> we use id_token_hint to identify the RP-initiated-logout. From the
> id_token_hint, we derive the client_id. What is the best approach to
> identify the client during logout?
>
> 2. Ask from application to encrypt the decrypted token from
> idp-certificate. Then in the logout flow, idp decrypts & verifies the
> token.  This adds more overhead for application well.
>
> Any thoughts on how to handle encrypted id_token_hint for OIDC logout?
>
> Appreciate your suggestions on this.
>
> Thank you for your time,
> Piraveena
> --
> *Piraveena Paralogarajah*
>
> *Blog:* https://medium.com/@piraveenaparalogarajah
> *LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah
> <https://www.linkedin.com/in/piraveena-paralogarajah>
>
> _______________________________________________
> Code mailing list
> Code at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-code
>
>

-- 
*Piraveena Paralogarajah*

*Blog:* https://medium.com/@piraveenaparalogarajah
*LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah
<https://www.linkedin.com/in/piraveena-paralogarajah>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20200709/232488da/attachment.html>

More information about the specs mailing list