The course of action the OP must take in regard to a valid
post_logout_redirect_uri and any back / front-channel notifications for the requesting RP is currently not well specified when the OP has no session for the end-user:
- Should the OP still act upon the
- If the requesting RP is registered for back / front channel notifications - should the OP dispatch them?
If the RP presented a valid
id_token_hint - does this change anything in regard to (1) and (2)?
If we assume “no user session at the OP” is to mean error, section 4 seems to suggest that all action should be aborted, save for giving the end-user the choice to log out from the OP: