Skip to content
This repository was archived by the owner on Sep 1, 2020. It is now read-only.
This repository was archived by the owner on Sep 1, 2020. It is now read-only.

rp-backchannel-rpinitlogout: should not callback the initiating RP #205

@zandbelt

Description

@zandbelt

When my RP initiates the backchannel logout towards the OP, it also kills its own session before doing so. It does not expect the OP to callback to itself, the session is already killed by then. The test suite seems to assume that the RP needs a callback to kill the session, and the initial request is merely a redirect to trigger that.

The logout spec points to the session management spec which says in https://openid.net/specs/openid-connect-session-1_0.html#RPLogout:

An RP can notify the OP that the End-User has logged out of the site and might want to log out of the OP as well. In this case, the RP, after having logged the End-User out of the RP, redirects the End-User's User Agent to the OP's logout endpoint URL.

so though it does not say that the OP should not callback the initiating RP, I believe that follows out of the current text nevertheless: calling back is pointless because the RP should have already killed its own session, therefore I suggest to adapt the test suite for that.

Metadata

Metadata

Assignees

Labels

session-management-logoutissues related to the WIP for logout and session management related tests

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions