azmeuk
commented
1 year ago @lepture I might be interested in tackling this one, however before I go too far I would appreciate some insight on a matter. The spec advise to ask things to the users:
At the Logout Endpoint, the OP SHOULD ask the End-User whether to log out of the OP as well. Furthermore, the OP MUST ask the End-User this question if an id_token_hint was not provided or if the supplied ID Token does not belong to the current OP session with the RP and/or currently logged in End-User. If the End-User says "yes", then the OP MUST log out the End-User.
As described in Section 3, when the OP detects errors in the RP-Initiated Logout request, the OP MUST not perform post-logout redirection to an RP. Beyond that, the OP has discretion on what information to display to the End-User in the resulting page at the OP and what actions to enable the End-User to perform next. It MAY display an error message. It MAY ask the End-User whether to log out of the OP.
So, in some cases a confirmation is needed from the end-users. However this is not the responsibility of authlib to display a confirmation page. I suppose authlib can delegate this and let developers display a confirmation form. When this confirmation is posted, and authlib deals with this second confirmation request, how to deal with the RP Initiated Logout claims?
- Should the developers be expected to include those claims a second time in their confirmation form? Could there be security issues if doing this?
- Should those claims be saved by a mechanism delegated to the developers? For instance, let users implement a method that save the claims in the session?
What do you think?
The OpenID Connect RP-Initiated Logout is not a draft anymore. I suggest implementing helpers for this specification in authlib.
Related issues #292 #560 #561