2015-04-16 21:31 GMT+02:00 Brian Campbell <bcam...@pingidentity.com
> This question (or very close) has come up before. It sure seems like
> something needs to be added or adjusted or clarified in the spec.
> If a request is received at the end_session_endpoint with only
> post_logout_redirect_uri and state parameters, what should the OP do? Is
> that an error condition? Are the parameters just ignored? Is the expectation
> that the calling client be looked up based on the post_logout_redirect_uri
> (I'm guessing some OP/AS implementations won't want to index on the value
> just to support sending the user back somewhere after maybe logging out)?
> What if a client wants to use post_logout_redirect_uri but doesn't want to
> hold onto the id token in order to use it as an id_token_hint? Or doesn't
> like the idea of passing id tokens around as parameters?
> Does the id_token_hint mean that, to use John's words, "it is a trusted RP"?
> Nothing says that that I see. It mostly just talks about being a "hint about
> the End-User's current authenticated session with the Client." What if it's
> expired? What if it's encrypted? Should the signature verify? What if keys
> have rotated so as to make signature verification impossible? If there is a
> problem, should the client be informed of the error? Or the user? Or ignore
> it and move on?
> I feel like a different set of questions come to mind each time I read this
> bit of the spec. That's what came to mind today.