The OIDC logout-related specs are all now final (as of 12 September 2022). This includes the RP-Initiated Logout, Front-Channel Logout, Back-Channel Logout and Session Management specs. The corresponding references in the CATS 3.0 OIDC deployment profile will be updated accordingly.
The changes to the RP-initiated Logout spec (from the first draft dated 7 August 2020) include the addition of the client_id and logout_hint parameters as well as changes/clarifications regarding the id_token_hint parameter – particularly in association with the post_logout_redirect_uri parameter. Some of the rationale for the changes is provided here [https://bitbucket.org/openid/connect/issues/1182/add-logout_hint-parameter-to-rp-initiated]. One thing to note is that the id_token_hint is no longer REQUIRED if the post_redirect_logout_uri is present in the RP-initiated logout request (it is now RECOMMENDED instead). In addition, the client_id should be present if the id_token_hint is not, but this is not mandatory.
A potential issue for discussion is that an RP can send a logout request with the post_logout_redirect_uri parameter without including either the id_token_hint or the client_id (or any other parameters for that matter). While I would argue this violates the “spirit” of the new RP-initiated Logout spec (i.e., at least one of those two parameters should be present), my interpretation is that an RP can omit both yet still claim compliance with the spec as it is currently worded. Based on the discussions that led to these changes in the first place (see link provided above), this surprised me as I would have expected the presence of at least one of those parameters to be REQUIRED. While there are always trade-offs between placing burden on the RPs versus the OPs, it seems to me that requiring an RP to include client_id in the absence of an id_token_hint is little to ask if the RP wants their post logout redirect request to be honored.
So, should a constraint be added to the CATS 3.0 OIDC deployment profile in order to make it mandatory that either the id_token_hint or the client_id parameter MUST be present if the post_logout_redirect_uri parameter is included in the RP-initiated logout request? (Of course, both may be present as well, but at least one of them MUST be present.) Or, should a CATS 3.0 compliant OP be able to reliably action a post logout redirect request in the absence of either parameter (keeping in mind that the post_logout_redirect_uri in the logout request must match a pre-registered post_logout_redirect_uri known to the OP)? And, if the latter, should this be clarified in the CATS 3.0 OIDC deployment profile?
The OIDC logout-related specs are all now final (as of 12 September 2022). This includes the RP-Initiated Logout, Front-Channel Logout, Back-Channel Logout and Session Management specs. The corresponding references in the CATS 3.0 OIDC deployment profile will be updated accordingly.
The changes to the RP-initiated Logout spec (from the first draft dated 7 August 2020) include the addition of the client_id and logout_hint parameters as well as changes/clarifications regarding the id_token_hint parameter – particularly in association with the post_logout_redirect_uri parameter. Some of the rationale for the changes is provided here [https://bitbucket.org/openid/connect/issues/1182/add-logout_hint-parameter-to-rp-initiated]. One thing to note is that the id_token_hint is no longer REQUIRED if the post_redirect_logout_uri is present in the RP-initiated logout request (it is now RECOMMENDED instead). In addition, the client_id should be present if the id_token_hint is not, but this is not mandatory.
A potential issue for discussion is that an RP can send a logout request with the post_logout_redirect_uri parameter without including either the id_token_hint or the client_id (or any other parameters for that matter). While I would argue this violates the “spirit” of the new RP-initiated Logout spec (i.e., at least one of those two parameters should be present), my interpretation is that an RP can omit both yet still claim compliance with the spec as it is currently worded. Based on the discussions that led to these changes in the first place (see link provided above), this surprised me as I would have expected the presence of at least one of those parameters to be REQUIRED. While there are always trade-offs between placing burden on the RPs versus the OPs, it seems to me that requiring an RP to include client_id in the absence of an id_token_hint is little to ask if the RP wants their post logout redirect request to be honored.
So, should a constraint be added to the CATS 3.0 OIDC deployment profile in order to make it mandatory that either the id_token_hint or the client_id parameter MUST be present if the post_logout_redirect_uri parameter is included in the RP-initiated logout request? (Of course, both may be present as well, but at least one of them MUST be present.) Or, should a CATS 3.0 compliant OP be able to reliably action a post logout redirect request in the absence of either parameter (keeping in mind that the post_logout_redirect_uri in the logout request must match a pre-registered post_logout_redirect_uri known to the OP)? And, if the latter, should this be clarified in the CATS 3.0 OIDC deployment profile?