-
assigned issue to
Michael Jones
Handling errors during OpenID Connect RP-Initiated Logout
Issue #1183
resolved
I have attempted to implement the updated OpenID Connect RP-Initiated Logout spec, but I am realizing it is underspecified about what happens on errors. Like, there are requirements that RP has to provide id_token_hint together with the post_logout_redirect_uri, but what if that is not so? How is error reported to the RP? Redirect and put the error in the query string? Return JSON with the error? What if the error is of internal nature, like database access error while OP tried to logout the user on its side? How to communicate back that RP should retry at a later time? Which errors to show to the user and which errors should be returned back to the RP? What if returning back to RP is not possible because redirect URI is not known?
Comments (8)
-
-
The WG agreed on the call on 4/12/21 that :
https://openid.net/specs/openid-connect-rpinitiated-1_0.html#Validation
If any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used.
Related to
#1216
-
- changed status to open
-
reporter
Hm, how does NOT using information which has failed validation answers the question how is the error returned back to the logout initiator? Or if it is returned at all?
I am lacking information about error reporting in general. Like, what happens if database write fails during logout. Should I just stop the logout flow and show the error to the user? Should I return to the logout initiator so that the initiator can retry? How do I return to the initiator and return the error in a meaningful way?
-
If validation steps fail, then it is not safe to redirect back to the initiator, because the supplied post_logout_redirect_uri may be supplied by an attacker. In that case, if an error is shown, it must be shown by the OP. That’s why no error codes are defined in in the specification - because there’s no safe channel with which to deliver them.
Given that the specification already describes the conditions under which the post-logout redirect must not occur, I would propose that we close this issue without further action unless someone wants to supply proposed related clarification text for the specification.
-
This will be fixed by https://bitbucket.org/openid/connect/pull-requests/153/described-rp-initiated-logout-error .
-
reporter
Awesome! Thanks!
-
- changed status to resolved
- Log in to comment
When working on the updates described in
#1182I’ll also consider updating the error handling descriptions.