Reputation: 1271
'id_token_hint' in RP Initiated Logout
I'm working with the spec 'https://openid.net/specs/openid-connect-session-1_0.html#RPLogout' to implement the feature, RP initiated logout. What I need to know is actually what is meant by 'id_token_hint' here. Is it same as the client ID or is it authorization code which we receive from the OP after login to it. Otherwise what is the 'id_token_hint' mentioned in the spec. Any explanation is highly appreciated.
Thanks.
Upvotes: 2
Views: 2387
Answers (1)
Reputation: 54088
The value of the id_token_hint parameter is the actual ID Token that was received earlier from the OpenID Connect Provider. As the spec says:
This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP.
It would prevent attackers from clickjacking and logging out users from their accounts because only the real RP can present the valid ID Token for the user (although the OP should ask for confirmation before actually logging the user out).
Upvotes: 2
Related Questions
- Keycloak logout response 414
- Keycloak 18.0.2 get id_token_hint for logout url by the API call
- oidc/logout with id_token_hint is not working
- Problem to logout in java app with oauth2 and Google / Azure auth server
- OpenId Connect(OIDC) v2 login_hint on sign-out not working
- OpenID Backchannel Logout contains no Logout Token
- IDSRV4 Logout - obtain ClientId dynamically
- OpenIDConnect AspNetCore Logout using id_token
- How to logout using openid4java API?
- Unable to logoout of openID RPXnow