Reputation: 205
WSO2IS-5.7.0 OIDC SSO logout without id_token_hint
I am working with OIDC and WSo2IS-5.7.0. I Want to implement rp initiated global logout (I want to terminate the session from RP and as well as OP or WSO2 in my case.) When user clicks on logout button, I am redirecting the user to this URL :
https://myserver:9443/oidc/logout?id_token_hint=<idtoken>&post_logout_redirect_uri=https://myotherserver.com/myapp/index
It is working fine and user is redirected to login page of wso2. My client consider it not secure and want to do the same without being send id_token to front end. Is it possible with wso2is-5.7.0?
If yes, how?
If no, isn't it insecure that we send id token to FE? anyone can use it to make API call?
Upvotes: 1
Views: 456
Answers (1)
Reputation: 553
It is not possible. In WSO2 implementation we use the id_token_hint to extract the client_id from the id_token (sent as the id_token_hint). This is necessary to retrieve the service provider information for which the id_token was issued to.
Otherwise we don't have a way to validate whether the value sent in post_logout_redirect_uri is a registered callback for the service provider.
So if we omit the id_token_hint, we cannot validate the post_logout_redirect_uri sent which will open up another security hole allowing redirection to untrusted uris.
Upvotes: 2
Related Questions
- How To properly OIDC Logout in WSO2 IS
- WSO2 Identity Server 5.7.0 Oauth/OpenId Connect Logout has Error about session state?
- WSO2 Identity Server: How to handle SAML2 SSO Logout request
- oidc/logout with id_token_hint is not working
- WSO2 Identity Server 5.3.0 Single Logout with simpleSAMLphp
- WSO2 IS - Invalid tenant domain when providing id_token_hint to logout endpoint
- WSO2 Idp initiated SSO
- SLO with wso2is, idp not including Issuer in LogoutRequests
- WSO2 Identity Server 5.0 - Can't perform single logout
- SAML SSO Logout fails in WSO2 Identity Server 5