- changed status to resolved
Session 5.1 - Make post_logout_redirect_uri treatment more parallel to redirect_uri
Currently, multiple redirect_uri values can be pre-registered, but only one post_logout_redirect_uri. Also, currently the redirect_uri value to be used must be explicitly passed to the OP, but the OP is expected to implicitly look up the registered post_logout_redirect_uri value and use it.
I am aware of a use case in which multiple post_logout_redirect_uri values are necessary. The RP is willing to pass the value to be used as an explicit parameter. I'll note that passing an explicit parameter would also be aligned with what WS-Federation does.
I propose that we change the post_logout_redirect_uri behavior to be parallel with that of redirect_uri in the manner described above. If a post_logout_redirect_uri is not passed by the RP to the OP at logout time, the OP would not perform any redirection, and would retain control of the browser session.
Comments (2)
-
reporter -
repo owner While I personally agree to this change, unlike other last minute edits, this is a normative technical change, so I would like to have more people to review it before we close.
=nat via iPhone
- Log in to comment
Fixed
#842- Made "post_logout_redirect_uri" treatment parallel to "redirect_uri".→ <<cset 132b3efa9ecf>>