The front-channel logout mechanism has a major advantage compared to the back-channel logout mechanism in that it works even behind a firewall or such. It however relies on cookies (to determine which session should be logged out) which gives two problems:
- It lacks CSRF protection, opening up for Denial of Service attacks (an attacker that can trick a user to load a certain page can silently log the user out of another site)
- It may not work - due to users disabling third-party cookies or RPs using SameSite cookies (see issue #1003)
With Chrome moving to SameSite=Lax by default this becomes a major problem. The problem with SameSite cookies can of course be “solved” by RPs setting SameSite=None - but that opens up for the kind of CSRF attacks that it’s intended to protect against.
To solve this I propose a new version of front-channel logout that takes a logout token (just like the one used in back-channel logout). Having such a token completely removes the reliance on cookies - solving both of the above mentioned problems. It may be a bit harder to implement (for both OPs and RPs) but not harder than back-channel logout.
Perhaps the specification should require that logout tokens are encrypted (for back-channel logout that seems completely unneccessary).