Open azmeuk opened 1 year ago
@lepture I might be interested in tackling this one, however before I go too far I would appreciate some insight on a matter. The spec advise to ask things to the users:
At the Logout Endpoint, the OP SHOULD ask the End-User whether to log out of the OP as well. Furthermore, the OP MUST ask the End-User this question if an id_token_hint was not provided or if the supplied ID Token does not belong to the current OP session with the RP and/or currently logged in End-User. If the End-User says "yes", then the OP MUST log out the End-User.
As described in Section 3, when the OP detects errors in the RP-Initiated Logout request, the OP MUST not perform post-logout redirection to an RP. Beyond that, the OP has discretion on what information to display to the End-User in the resulting page at the OP and what actions to enable the End-User to perform next. It MAY display an error message. It MAY ask the End-User whether to log out of the OP.
So, in some cases a confirmation is needed from the end-users. However this is not the responsibility of authlib to display a confirmation page. I suppose authlib can delegate this and let developers display a confirmation form. When this confirmation is posted, and authlib deals with this second confirmation request, how to deal with the RP Initiated Logout claims?
What do you think?
The OpenID Connect RP-Initiated Logout is not a draft anymore. I suggest implementing helpers for this specification in authlib.
Related issues #292 #560 #561