Require id_token_hint in RP-initiated logout for redirect to post_logout_redirect_uri
During IETF 104 in Prague, a number of us discussed RP-initiated logout and how to validate the client so that redirecting to the post_logout_redirect_uri is safe. The consensus was to require that an id_token_hint be present so that the client can be validated; otherwise, the supplied post_logout_redirect_uri should not be honored.
Those present were Torsten Lodderstedt, John Bradley, Filip Skokan, Daniel Fett, Aaron Parecki, and Mike Jones.
Comments (5)
-
-
reporter We talked about it on the 25-Nov-19 call and agreed that we should go with this approach unless objections are raised.
-
Requiring id_token_hint in order to honor a post_logout_redirect_uri seems reasonable. And like we talked about last week, the OP probably should/must prompt the user for confirmation, if no id_token_hint is provided. But I don’t think id_token_hint should be required in the general at the
end_session_endpoint
. And I don’t think that’s where this is going but I wanted to make sure. There are definitely cases where it’s too much of a burden on an RP to retain the whole id token just on the chance that logout will happen.
-
But I don’t think id_token_hint should be required in the general at the
end_session_endpoint
.I think we aim for required if post_logout_redirect_uri is provided, otherwise optional.
FYI making post_logout_redirect_uri actionable w/o id_token_hint given there’s an end-user prompt was my original goal in https://bitbucket.org/openid/connect/issues/1032/rp-initiated-logout-proposal-for-client_id. That, unfortunately for the spec’s usability in some scenarios, did not pan out.
-
reporter - changed status to resolved
Fixed
#1071- Require id_token_hint in RP-initiated logout for redirect to post_logout_redirect_uri→ <<cset 086bef67faa9>>
- Log in to comment
In addition, when post_logout_redirect_uri is present and the id_token_hint is not, the request should result in an error.
https://bitbucket.org/openid/connect/issues/1032/rp-initiated-logout-proposal-for-client_id#comment-51373773