OP-BackChannel-RpInitLogout-no-post_logout_redirect_uri

[panva]

Status: 🔴

There is no way to satisfy the success condition of this test.

Since there is no post logout redirect uri being sent the OP behaviour is to either render success or redirect to a common success page under its origin.

@rohe made the argument this should behave like oauth2 redirect_uri which is optional in cases just one is registered.

First of all that behaviour is optional for redirect_uri and does not apply as that behaviour is not inherited or mentioned by the specification.

I think this test should be removed or changed so that it renders a note to the tester that he should take a screenshot of the success logout page that is not the RP.

The same (no success criteria and screenshot requirement) should be applied to only-state as well.

[rohe]

Quick fix is to remove the test.

I still feel that the behaviour of post_logout_redirect_uri/-s should mimic that of redirect_uri/-s but that is a longer discussion to be taken on the mailing list.

[rohe]

I don't get the comment about OP-BackChannel-RpInitLogout-only-state. Please be more explicit !

To me it starting to sound like you have added a number of restrictions to the documents. The document states that id_token_hint is RECOMMENDED and post_logout_redirect_uri and state are OPTIONAL.

RECOMMENDED is not the same as REQUIRED. Which means that if one goes by the letter then an end session request with only a state parameter is permitted. Are you saying it isn't ?

[panva]

Let me rephrase

option 1) I think this test should be removed option 2 (preferred)) I think it should be changed so that it renders a note to the tester that he should take a screenshot of the success logout page

option 2 should also be applied to OP-BackChannel-RpInitLogout-only-state since without either of the recommended parameters the OP cannot redirect back to the RP, can only show a success confirmation.

Are you saying it isn't ?

No I'm not saying that. Merely saying that the there's no success condition the test suite can check for and these should be a screenshot kind of tests.

[panva]

I still feel that the behaviour of post_logout_redirect_uri/-s should mimic that of redirect_uri/-s but that is a longer discussion to be taken on the mailing list.

I am 100% indifferent to whether the behaviour should or should not be, either way it would (as it is the case for redirect_uris) be optional and we therefore cannot base a test on it.

As-is today the only accepted behaviour is ~error.~ a success logout page on the OP being certified with a screenshot.

[rohe]

"Either of the recommended parameters" ? There is only one and that is id_token_hint. I don't see that the discussion about post_logout_redirect_uri + id_token_hint changes that. At least it's not explicit about it. And in this case if that is the wanted behaviour it should be.

I myself I would not mind if both id_token_hint and post_logout_redirect_uri where marked as REQUIRED but I understand that there might be use case where this can be problematic.

[panva]

"Either of the recommended parameters" ? There is only one and that is id_token_hint.

My bad. Altho id_token_hint needs to get a note about being required when post_logout_redirect_uri is provided.

As-is today the only accepted behaviour is error.

~@rohe @selfissued are we aligned on this? Both OP-BackChannel-RpInitLogout-only-state (which doesn't make sense now that i think about it given that no redirect will happen) and OP-BackChannel-RpInitLogout-no-post_logout_redirect_uri should expect an error screenshot.~

[rohe]

Now, this is question for you. In a discussion with Mike I asked whether it was expected/plausible that the only information source for the OP would be the cookie. That is, no information what so ever was transfered as parameters of the call. And if I remember correctly he said yes. If that is still a valid position then having only state is a step up and should not result in an error.

[panva]

My mixup, only-state and this (no-post_logout_redirect_uri) should all be tested the same - expecting the tester to submit a screenshot of the success logout page and ignoring the test suite's results - since there's no redirect back.

That being said, only-state still doesn't make sense to me as the state is not being used for anything then.

[rohe]

Unless someone implements an OP that can use the registered post_logout_redirect_uri. That should still be a valid option, right ? Since post_logout_redirect_uri is OPTIONAL it must be IMHO.

[panva]

Unless someone implements an OP that can use the registered post_logout_redirect_uri. That should still be a valid option, right ? Since post_logout_redirect_uri is OPTIONAL it must be IMHO.

Only if we agreed on the mailing list to put that oauth redirect-uri like behaviour into the specification, yes.

[rohe]

Let's have that discussion then. @selfissued want to chime in ?

[rohe]

So not adding post_logout_redirect_uri to the request means: Whatever you (the OP) do don't send the user back to me. Don't want to see him again. :-)

[panva]

So not adding post_logout_redirect_uri to the request means: Whatever you (the OP) do don't send the user back to me. Don't want to see him again. :-)

That's how i read the draft today, yes.

[panva]

This test disappeared from the list now.