Session 5.1 - Make post_logout_redirect_uri treatment more parallel to redirect_uri

Issue #842 resolved
Michael Jones created an issue

Currently, multiple redirect_uri values can be pre-registered, but only one post_logout_redirect_uri. Also, currently the redirect_uri value to be used must be explicitly passed to the OP, but the OP is expected to implicitly look up the registered post_logout_redirect_uri value and use it.

I am aware of a use case in which multiple post_logout_redirect_uri values are necessary. The RP is willing to pass the value to be used as an explicit parameter. I'll note that passing an explicit parameter would also be aligned with what WS-Federation does.

I propose that we change the post_logout_redirect_uri behavior to be parallel with that of redirect_uri in the manner described above. If a post_logout_redirect_uri is not passed by the RP to the OP at logout time, the OP would not perform any redirection, and would retain control of the browser session.

Comments (2)

  1. OpenID Foundation repo owner

    While I personally agree to this change, unlike other last minute edits, this is a normative technical change, so I would like to have more people to review it before we close.

    =nat via iPhone

  2. Log in to comment