Skip to content

Consider OIDC Back-Channel favoring logout_token over CSRF #13841

New issue
New issue
Closed
Closed
Consider OIDC Back-Channel favoring logout_token over CSRF#13841
Assignees
jzheaux
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancement
Milestone
 
6.4.x
@jzheaux

Description

@jzheaux
jzheaux
opened on Sep 16, 2023

The current OIDC back-channel logout support saves the end-user's CSRF token to use in a self-logout call when the back-channel request comes from the authorization server.

This adds more information to OidcSessionInformation than may be necessary. Instead, I think it would also work to send the logout_token in place of the CSRF token.

The upside is a simpler contract and simpler configuration. The possible downside is the logout token is validated multiple times, once for each session being invalidated.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions