Handling errors during OpenID Connect RP-Initiated Logout

Issue #1183 resolved
Mitar created an issue

I have attempted to implement the updated OpenID Connect RP-Initiated Logout spec, but I am realizing it is underspecified about what happens on errors. Like, there are requirements that RP has to provide id_token_hint together with the post_logout_redirect_uri, but what if that is not so? How is error reported to the RP? Redirect and put the error in the query string? Return JSON with the error? What if the error is of internal nature, like database access error while OP tried to logout the user on its side? How to communicate back that RP should retry at a later time? Which errors to show to the user and which errors should be returned back to the RP? What if returning back to RP is not possible because redirect URI is not known?

Comments (8)

  1. Mitar reporter

    Hm, how does NOT using information which has failed validation answers the question how is the error returned back to the logout initiator? Or if it is returned at all?

    I am lacking information about error reporting in general. Like, what happens if database write fails during logout. Should I just stop the logout flow and show the error to the user? Should I return to the logout initiator so that the initiator can retry? How do I return to the initiator and return the error in a meaningful way?

  2. Michael Jones

    If validation steps fail, then it is not safe to redirect back to the initiator, because the supplied post_logout_redirect_uri may be supplied by an attacker. In that case, if an error is shown, it must be shown by the OP. That’s why no error codes are defined in in the specification - because there’s no safe channel with which to deliver them.

    Given that the specification already describes the conditions under which the post-logout redirect must not occur, I would propose that we close this issue without further action unless someone wants to supply proposed related clarification text for the specification.

  3. Log in to comment