[RP-Initiated Logout] End-user has no session with the OP, what action to take in regard to post logout redirect and back / front-channel notifications?
Issue #1549
resolved
The course of action the OP must take in regard to a valid post_logout_redirect_uri and any back / front-channel notifications for the requesting RP is currently not well specified when the OP has no session for the end-user:
- Should the OP still act upon the
post_logout_redirect_uri? - If the requesting RP is registered for back / front channel notifications - should the OP dispatch them?
If the RP presented a valid id_token_hint - does this change anything in regard to (1) and (2)?
If we assume “no user session at the OP” is to mean error, section 4 seems to suggest that all action should be aborted, save for giving the end-user the choice to log out from the OP:
https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling
Comments (5)
-
reporter
-
- changed status to open
@Michael Jones to create a PR.
-
-
assigned issue to
Michael Jones
-
assigned issue to
-
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/275/clarified-that-rp-initiated-logout-is. Please review!
-
- changed status to resolved
- Log in to comment
On the 2022-08-11 OIDC WG call we agreed
post_logout_redirect_urishould always be honored (when successfully validated) in order to ensure consistent logout UX regardless of whether the end-user is still logged in or not with the OP.The back / front-channel notification specs are clear the events are raised at OP logout, so no clarification needed there.