guilhermednt
commented
8 years ago I have some questions about the RP-Initiated Logout:
1) Should we allow logout without user interaction/consent? If a valid ID Token is provided, should we allow the user to be automatically logged out or should we prompt for consent? I'm more inclined to always ask the user for confirmation as suggested by the spec.
2) Should we allow redirect without user consent?
Either way, should we also ask for consent before redirecting? In this case I think I'm more favorable to redirecting directly for a better UX since the end_session_endpoint might be a pop-up and the post_logout_redirect_uri would be responsible of closing it. Also, the user might be expecting to get back to the RP since this is where he was initially.
Since it seems that the final spec will take some time to be released, I propose we at least implement the draft (1 and 2) given this is a security issue.