feat(oxauth): add client_id parameter support to /end_session
Support: 11416
Motivation
Corner case is when session is expired and grant object is expired (or revoked) and AS is not able to identify client.
Obviously if AS can't identify client (due to missed session and id_token_hint) it falls back to global validation via clientWhiteList and allowPostLogoutRedirectWithoutValidation=true.
If we want to avoid global clientWhiteList question is still the same, how AS should figure out client if session and id_token_hint is not there ?
One possible solution is to pass client_id explicitly, so AS will do following:
get client from session
if no session -> get client from id_token_hint
if grant object for id_token_hint is not there -> take client by client_id.
client_id parameter is just an idea, it's not supported however it can be implemented.
yuriyz
commented
1 year ago
Describe the issue
feat(oxauth): add client_id parameter support to /end_session
Support: 11416
Motivation
Corner case is when session is expired and grant object is expired (or revoked) and AS is not able to identify client.
Obviously if AS can't identify client (due to missed session and id_token_hint) it falls back to global validation via
clientWhiteListandallowPostLogoutRedirectWithoutValidation=true.If we want to avoid global
clientWhiteListquestion is still the same, how AS should figure out client if session and id_token_hint is not there ?One possible solution is to pass client_id explicitly, so AS will do following: