- changed title to Front & back-channel logout: require HTTPS URIs?
Front & back-channel logout: require HTTPS URIs?
Issue #1030
resolved
Shouldn't the logout specs include normative language about the use of HTTPS for logout URIs? Or at least outline the possible issues with plain vs HTTPS logout URIs in the "Security Considerations"?
My suggestion is to have HTTPS REQUIRED (or at least RECOMMENDED) for front-channel logout, for privacy and confidentiality reasons, and also to make it possible for the OP to render the logout iframe without complications (browsers normally block non-HTTPS iframes in HTML served with HTTPS).
Similarly for back-channel logout, where the logout token can be a JWS without additional JWE (or even alg:none
).
Comments (4)
-
reporter -
-
assigned issue to
Good catch. I'll make this change.
-
assigned issue to
-
- changed status to open
-
- changed status to resolved
Fixed
#1030- Specify the use of HTTPS URIs→ <<cset 70affd91afa0>>
- Log in to comment