[RP-Initiated Logout] End-user has no session with the OP, what action to take in regard to post logout redirect and back / front-channel notifications?

Issue #1549 resolved
Vladimir Dzhuvinov created an issue

The course of action the OP must take in regard to a valid post_logout_redirect_uri and any back / front-channel notifications for the requesting RP is currently not well specified when the OP has no session for the end-user:

  1. Should the OP still act upon the post_logout_redirect_uri ?
  2. If the requesting RP is registered for back / front channel notifications - should the OP dispatch them?

If the RP presented a valid id_token_hint - does this change anything in regard to (1) and (2)?

If we assume “no user session at the OP” is to mean error, section 4 seems to suggest that all action should be aborted, save for giving the end-user the choice to log out from the OP:


Comments (5)

  1. Vladimir Dzhuvinov reporter

    On the 2022-08-11 OIDC WG call we agreed post_logout_redirect_uri should always be honored (when successfully validated) in order to ensure consistent logout UX regardless of whether the end-user is still logged in or not with the OP.

    The back / front-channel notification specs are clear the events are raised at OP logout, so no clarification needed there.

  2. Log in to comment