backchannel logout requests should include a reference to the OP

Issue #1049 resolved
Hans Zandbelt created an issue

Whilst taking a stab at implementing backchannel logout according to:

I found that for an RP that connects to multiple OPs it would be impossible to deduct the OP from the logout_token if it is encrypted with a symmetric key. Since following the OpenID Connect id_token guidelines (as suggested) it would have to decrypt with the client_secret which is (hopefully) a per-provider setting. Trying all OPs/client_secret's consecutively would be very inefficient and probably not what anyone would want to do.

I suggest to add an iss parameter to the backchannel logout request in addition to the logout_token parameter.

This will also make it easier for implementors to share the code path with id_token validation since they'd no longer have to "peek" into the id_token before calling the validation routine that may be issuer specific. The issuer would typically be known before validating the id_token since it is recorded in the (browser bound) state.

Comments (4)

  1. Log in to comment