Current spec recommends using id_token in the RP-initiated logout as the id_token_hint but there are two issues with this approach:
When an id_token contains additional claims, the size of the id_token becomes too big for a URL query parameter and can run into logout issues. This is esp. an issue when id_token includes role claims in an enterprise Active Directory environment.
id_token can contain sensitive information about the user such as name, email, phone. Because it is used as a GET query parameter, the value can be easily extracted by a middle party as well as gets logged in a standard logging configuration.
Is there a way to recommend using a different value for this? The reason for using id_token_hint makes sense but does the value have to be the id_token itself? Can the OP issue some other value (within the id_token) at sign-in time that can be used as the logout id_token_hint? Then OP can still verify the logout request in a secure manner.