-
assigned issue to
backchannel logout requests should include a reference to the OP
Whilst taking a stab at implementing backchannel logout according to: https://openid.net/specs/openid-connect-backchannel-1_0.html
I found that for an RP that connects to multiple OPs it would be impossible to deduct the OP from the logout_token
if it is encrypted with a symmetric key. Since following the OpenID Connect id_token
guidelines (as suggested) it would have to decrypt with the client_secret
which is (hopefully) a per-provider setting. Trying all OPs/client_secret
's consecutively would be very inefficient and probably not what anyone would want to do.
I suggest to add an iss
parameter to the backchannel logout request in addition to the logout_token
parameter.
This will also make it easier for implementors to share the code path with id_token
validation since they'd no longer have to "peek" into the id_token
before calling the validation routine that may be issuer specific. The issuer would typically be known before validating the id_token since it is recorded in the (browser bound) state.
Comments (4)
-
-
- changed status to open
-
There was some discussion on the list about this - http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20180924/007021.html is the thread.
-
- changed status to resolved
Fixed
#1049- Include a reference to the OP when the Logout Token is encrypted→ <<cset 5aed2d7fd469>>
- Log in to comment
We will describe duplicating the "iss" field in the header in this case, as allowed by the JWT spec.