RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an
- While implied by the use of “Previously issued” I think it's fair to say the AS must verify the
issvalue of the token is the AS itself, that the
algis the one the client is configured to be receiving and in case of both symmetric and asymmetric algorithms verify the signature.
- Since ID Token expiration isn’t tied to neither the RP or OP session duration I always assumed the expiration is to be ignored. Since someone recently brought the fact that an expired id token is accepted as a hint as an issue to me, I’d expect the WG and the document to clarify.
sid- currently optional claim of the ID Token for back/front-channel logout RP-session identification purposes, what if the received hint’s
sidties to a different OP session than the one present? Does the OP proceed to logout the session currently in place? Does it return an error?, if so, should
sidbe a required claim whenever rp-initiated-logout functionality is present?
Points 1 & 2 also apply to the use of
id_token_hint at the authorization endpoint.