Require id_token_hint in RP-initiated logout for redirect to post_logout_redirect_uri

Comments (5)

1. 

   Filip Skokan

   In addition, when post_logout_redirect_uri is present and the id_token_hint is not, the request should result in an error.

   https://bitbucket.org/openid/connect/issues/1032/rp-initiated-logout-proposal-for-client_id#comment-51373773

   • 2019-04-19T19:32:52+00:00
2. 

   Michael Jones reporter

   We talked about it on the 25-Nov-19 call and agreed that we should go with this approach unless objections are raised.

   • 2019-11-25T23:16:50+00:00
3. 

   Brian Campbell

   Requiring id_token_hint in order to honor a post_logout_redirect_uri seems reasonable. And like we talked about last week, the OP probably should/must prompt the user for confirmation, if no id_token_hint is provided. But I don’t think id_token_hint should be required in the general at the end_session_endpoint. And I don’t think that’s where this is going but I wanted to make sure. There are definitely cases where it’s too much of a burden on an RP to retain the whole id token just on the chance that logout will happen.

   ‌

   • 2019-11-25T23:47:58+00:00
4. 

   Filip Skokan

   But I don’t think id_token_hint should be required in the general at the end_session_endpoint.

   I think we aim for required if post_logout_redirect_uri is provided, otherwise optional.

   FYI making post_logout_redirect_uri actionable w/o id_token_hint given there’s an end-user prompt was my original goal in https://bitbucket.org/openid/connect/issues/1032/rp-initiated-logout-proposal-for-client_id. That, unfortunately for the spec’s usability in some scenarios, did not pan out.

   • 2019-11-25T23:53:45+00:00
5. 

   Michael Jones reporter

   • changed status to resolved

   Fixed #1071 - Require id_token_hint in RP-initiated logout for redirect to post_logout_redirect_uri

   → <<cset 086bef67faa9>>

   • 2020-07-29T18:17:10+00:00
6. Log in to comment