[rp-initiated-logout] insufficient description of id_token_hint processing and validations

Issue #1087 resolved
Filip Skokan created an issue


RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an id_token_hintvalue.

  1. While implied by the use of “Previously issued” I think it's fair to say the AS must verify the iss value of the token is the AS itself, that the alg is the one the client is configured to be receiving and in case of both symmetric and asymmetric algorithms verify the signature.
  2. Since ID Token expiration isn’t tied to neither the RP or OP session duration I always assumed the expiration is to be ignored. Since someone recently brought the fact that an expired id token is accepted as a hint as an issue to me, I’d expect the WG and the document to clarify.
  3. sid - currently optional claim of the ID Token for back/front-channel logout RP-session identification purposes, what if the received hint’s sid ties to a different OP session than the one present? Does the OP proceed to logout the session currently in place? Does it return an error?, if so, should sid be a required claim whenever rp-initiated-logout functionality is present?

Points 1 & 2 also apply to the use of id_token_hint at the authorization endpoint.

Comments (2)

  1. Michael Jones

    I agree that these clarifications need to be made to the draft. A lot of this is common sense but it’s worth spelling out more explicitly.

  2. Log in to comment