A user is logged with OIDC on 2 separate RPs.
If he is redirected to the rp-initiated logout view for RP1, all his tokens well be revoked (and deleted for id/access tokens)
If RP2 also redirects the used to the rp-initiated logout using the id_token_hint parameter, the request will be rejected because no IDToken will be found (since it was previously deleted).
To Reproduce
See above
Expected behavior
The specs have :
If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used. Note that because RP-Initiated Logout Requests are intended to be idempotent, it is explicitly not an error for an RP to request that a logout be performed when the OP does not consider that the End-User is logged in with the OP at the requesting RP.
As described in Section 3, when the OP detects errors in the RP-Initiated Logout request, the OP MUST not perform post-logout redirection to an RP. Beyond that, the OP has discretion on what information to display to the End-User in the resulting page at the OP and what actions to enable the End-User to perform next. It MAY display an error message. It MAY ask the End-User whether to log out of the OP.
Note that giving the End-User the opportunity to log out may have security benefits, especially in kiosk scenarios. The End-User initiating a logout action at the RP may expect to be completely logged out, including from the OP. Not giving the End-User the opportunity to log out at the OP and leaving the End-User logged in would likely violate the End-User's security expectations about being completely logged out.
We should not raise an error if the user is already logged out.
if we have a session then we can find the user and proceed with the logout
if not we don't have to do anything (no identified user, no session, no token) so we don't have anything to do (see similar case in #1280)
Version
2.3.0
[x] I have tested with the latest published release and it's still a problem.
[x] I have tested with the master branch and it's still a problem.
Describe the bug
A user is logged with OIDC on 2 separate RPs. If he is redirected to the rp-initiated logout view for RP1, all his tokens well be revoked (and deleted for id/access tokens) If RP2 also redirects the used to the rp-initiated logout using the
id_token_hintparameter, the request will be rejected because noIDTokenwill be found (since it was previously deleted).To Reproduce
See above
Expected behavior
The specs have :
We should not raise an error if the user is already logged out.
Version
2.3.0
Additional context