Whilst taking a stab at implementing backchannel logout according to: https://openid.net/specs/openid-connect-backchannel-1_0.html
I found that for an RP that connects to multiple OPs it would be impossible to deduct the OP from the
logout_token if it is encrypted with a symmetric key. Since following the OpenID Connect
id_token guidelines (as suggested) it would have to decrypt with the
client_secret which is (hopefully) a per-provider setting. Trying all OPs/
client_secret's consecutively would be very inefficient and probably not what anyone would want to do.
I suggest to add an
iss parameter to the backchannel logout request in addition to the
This will also make it easier for implementors to share the code path with
id_token validation since they'd no longer have to "peek" into the
id_token before calling the validation routine that may be issuer specific. The issuer would typically be known before validating the id_token since it is recorded in the (browser bound) state.