-
assigned issue to
Michael Jones
backchannel logout requests should include a reference to the OP
Issue #1049
resolved
Whilst taking a stab at implementing backchannel logout according to: https://openid.net/specs/openid-connect-backchannel-1_0.html
I found that for an RP that connects to multiple OPs it would be impossible to deduct the OP from the logout_token if it is encrypted with a symmetric key. Since following the OpenID Connect id_token guidelines (as suggested) it would have to decrypt with the client_secret which is (hopefully) a per-provider setting. Trying all OPs/client_secret's consecutively would be very inefficient and probably not what anyone would want to do.
I suggest to add an iss parameter to the backchannel logout request in addition to the logout_token parameter.
This will also make it easier for implementors to share the code path with id_token validation since they'd no longer have to "peek" into the id_token before calling the validation routine that may be issuer specific. The issuer would typically be known before validating the id_token since it is recorded in the (browser bound) state.
Comments (4)
-
-
- changed status to open
-
There was some discussion on the list about this - http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20180924/007021.html is the thread.
-
- changed status to resolved
Fixed
#1049- Include a reference to the OP when the Logout Token is encrypted→ <<cset 5aed2d7fd469>>
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Logout
- Milestone
- Implementer's Draft
- Version
- –
- Votes
- 0
- Watchers
- 0
We will describe duplicating the "iss" field in the header in this case, as allowed by the JWT spec.