query over rp initiated logout certification test outcomes for tests that use invalid information

Issue #1216 resolved
Joseph Heenan created an issue

The certification team have received a logout certification that seems to differ to all previous ones and from the outcome the tests describe. We’re inclined to think this is okay but I thought it best to seek guidance from the working group before we update the test descriptions.

The relevant tests are:

  • oidcc-rp-initiated-logout-bad-post-logout-redirect-uri
  • oidcc-rp-initiated-logout-query-added-to-post-logout-redirect-uri

“If the post logout redirect URI does not match the pre-configured one, but the id_token_hint validation succeeded, we will logout the user, but not make the redirect URI available to the UI, nor automatically redirect.”

  • oidcc-rp-initiated-logout-modified-id-token-hint
  • oidcc-rp-initiated-logout-bad-id-token-hint
  • oidcc-rp-initiated-logout-no-id-token-hint

“If id_token_hint is missing, or validation failed, we do not show an error message to the user, we fall back to prompting the user if he really want to logout.”

The python tests used wording like:

This test should result in the OpenID Provider displaying an error message in your user agent. You must submit a screen shot of the error shown as part of your certification application.

and the java tests tend to use language like:

the OP must show an error screen, a screenshot of which should be uploaded

https://openid.net/specs/openid-connect-rpinitiated-1_0.html says:

Logout requests without a valid id_token_hint value are a potential means of denial of service; therefore, OPs may want to require explicit user confirmation before acting upon them.


If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used.

Which appears to support these outcomes.

The question is basically: in all these scenarios, is it permitted to not show errors?

(If so we’ll update the test descriptions to try and make the permitted outcomes clear.)

Comments (10)

  1. Joseph Heenan

    Discussed on today’s call but no firm outcome reached. I think regardless we felt some clarification of the spec would be good, but we may need input from a few more experts before coming to a firm conclusion.

  2. Michael Jones

    It sounds to me like the issue for the certification team was long ago decided and handled. Reviewing the current text, I do not see a need for specification changes related to this issue. Unless people want to propose specific text changes to the RP-Initiated Logout spec, I propose that we close this issue with no further action.

  3. Joseph Heenan

    I don’t think we’ve updated the test descriptions yet, so they’re still expecting errors to be displayed. It sounds like we should do that.

    I suggest making at least one tweak to the spec text just to provide guidance on possible outcomes, as it seems a lot of people interpreted “MUST be aborted” as meaning “show an error”, and perhaps “not showing an error” is a better outcome for the user experience that we might at least want to draw attention to as a possibility.

    For example after this sentence:

    If any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used.

    we could add “The OP may decide how it handles this operation. For example, in the case of an invalid/missing id_token_hint, it might display an error, or it may seek confirmation from the user as to whether they want to logout. Or in the case of a bad redirect url, the OP may choose to display an error, or if the id_token_hint is valid to logout the user - it must not redirect to the bad url though.”

  4. Log in to comment