Clarify that OPs must send a logout notification to the RP that requested RP-Initiated Logout
When an RP sends an RP-Initiated Logout message to the OP, the OP MUST still request that that RP log out if it believes that it was logged in. (This notification can happen via Session Management, Front-Channel, or Back-Channel.)
This means that the RP need not clear its logged-in state before sending the RP-Initiated Logout message (although it is also free to do so).
This issue resulted from the discussion at https://github.com/openid-certification/oidctest/issues/205.
Comments (3)
-
-
@gffletch that’s the current wording, but makes it confusing to determine whether the initiating RP should expect to be called back or not
If we agree to adopt the proposed text in this issue, then I suggest to drop the current text about logging out users before redirecting to the OP
-
reporter - changed status to resolved
Fixed
#1134- Clarify that OPs must send a logout notification to the RP that requested RP-Initiated Logout→ <<cset fdbeb0622294>>
- Log in to comment
I think the guidance for the RP is that they SHOULD log the user out before sending the user to the OP rather than waiting to get a logout callback from the OP.