backchannel logout spec doesn't have requirement that 'sid` in id_token & logout_token match

Comments (5)

1. 

   Filip Skokan

   Since the id_token passed to rp-initiated logout is a hint I don’t think we can expect the logout token’s sid to always match what the RP then receives in the backchannel logout request. The OP can ignore the id_token_hint when it’s no longer one related to the end-user session and continue without it, albeit now knowing the client and able to verify the post_logout_redirect_uri.

   Furthermore, when a client receives a logout token out of the blue (because e.g. it wasn’t the one initiating the rp-initiated logout request) then there’s not much to match against, the RP will search its records for a session match based on the sid or sub and drop them (or put them on a “revoked” list for when they re-appear).

   • 2020-06-16T08:28:09+00:00
2. 

   Joseph Heenan reporter

   I’d forgotten there were multiple id_tokens in play. I guess I meant “the sid value MUST match that in an id_token previously issued by the OP”.

   ‌

   • 2020-06-16T08:36:47+00:00
3. 

   Filip Skokan

   On the RP? MUST? Maybe. Consider my OP just puts the sid in there all the time. But my RP policy is to drop all sessions for a user regardless of the sid I receive. SHOULD describes that scenario better imho.

   • 2020-06-16T09:01:39+00:00
4. 

   Michael Jones

   • changed milestone to RC1
   • assigned issue to
     
     Michael Jones

   I agree that we need to be more clear about this. I will investigate and propose language.

   • 2020-06-18T14:30:13+00:00
5. 

   Michael Jones

   • changed status to resolved

   Fixed #1176 - Verify that the sid Logout Token claim matches this claim in an ID Token

   → <<cset 9114b77ebb94>>

   • 2020-08-01T01:36:10+00:00
6. Log in to comment