Front & back-channel logout: require HTTPS URIs?

Shouldn't the logout specs include normative language about the use of HTTPS for logout URIs? Or at least outline the possible issues with plain vs HTTPS logout URIs in the "Security Considerations"?

My suggestion is to have HTTPS REQUIRED (or at least RECOMMENDED) for front-channel logout, for privacy and confidentiality reasons, and also to make it possible for the OP to render the logout iframe without complications (browsers normally block non-HTTPS iframes in HTML served with HTTPS).

Similarly for back-channel logout, where the logout token can be a JWS without additional JWE (or even alg:none).

Comments (4)