-
assigned issue to
- changed milestone to Final
[rp-initiated-logout] insufficient description of id_token_hint processing and validations
Issue #1087
resolved
id_token_hint
RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an
id_token_hint
value.
- While implied by the use of “Previously issued” I think it's fair to say the AS must verify the
iss
value of the token is the AS itself, that thealg
is the one the client is configured to be receiving and in case of both symmetric and asymmetric algorithms verify the signature. - Since ID Token expiration isn’t tied to neither the RP or OP session duration I always assumed the expiration is to be ignored. Since someone recently brought the fact that an expired id token is accepted as a hint as an issue to me, I’d expect the WG and the document to clarify.
sid
- currently optional claim of the ID Token for back/front-channel logout RP-session identification purposes, what if the received hint’ssid
ties to a different OP session than the one present? Does the OP proceed to logout the session currently in place? Does it return an error?, if so, shouldsid
be a required claim whenever rp-initiated-logout functionality is present?
Points 1 & 2 also apply to the use of id_token_hint
at the authorization endpoint.
Comments (2)
-
-
- changed status to resolved
Fixed
#1087- Insufficient description of id_token_hint processing and validation→ <<cset 58ee6c1f9e6f>>
- Log in to comment
I agree that these clarifications need to be made to the draft. A lot of this is common sense but it’s worth spelling out more explicitly.