Hydra: Do not distinguish between OP/RP initiated logout for `id_token_hint`

Created on 15 Aug 2020  路  10Comments  路  Source: ory/hydra

At least in the latest spec: https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Currently Hydra uses id_token_hint to determine if logout is RP-initiated or OP-initiated. I do not think this is possible by relaying on id_token_hint.

Looking at the implementation of issueLogoutVerifier I think the logic is correct (if id_token_hint is missing, you ask for consent, if it is provided and valid, you just logout). But documentation if confusing because it implies something which I do not see in the spec. You can call logout from RP without id_token_hint, but user will get a confirmation shown.

docs good first issue help wanted

Most helpful comment

I can add it to my TODO. :-)

All 10 comments

Could you point out the point in the doc or propose a change to improve the language?

Oh, sorry. I forgot to link to relevant docs. Here: https://www.ory.sh/hydra/docs/concepts/logout/

Not sure about the language change, but maybe simply all that language about OP-initiated and RP-initiated flows could be dropped, simply saying that whoever invokes it, can or not provide id_token_hint and then how the rest flows.

But the distinction is important. The flow does have OP and RP flows, so why should we omit that information from developers?

I'm not sure I really understand the problem. Could you maybe simply do a suggestion to the things you find unclear? Not sure if I can help otherwise.

Where in this spec there is this distinction? RP can or not provide the id_token_hint. It has noting with being an OP or RP.

It's not possible to figure out the client_id without an id_token_hint as a single login session can have multiple clients associated with it. If we can't figure out the client_id, we can not validate post_logout_uri, which also makes the state useless. The RP spec does not care about this at all, which is a common theme in IETF/OpenID Foundation drafts and even specs (think JWS/JWT spec...).

The logout screen is shown for OP and RP alike, because we need to protect against CSRF attacks for the OP-flow as ORY Hydra does not have a "logout screen" itself (because of delegation to the consent/logout/login app). This is a drawback of delegating the UI to another component.

This is therefor documented correctly, and implemented correctly, given the limitations of real world use of the spec.

No, the spec is very clear about that. post_logout_uri is only allowed if id_token_hint is provided:

post_logout_redirect_uri: ... An id_token_hint is also REQUIRED when this parameter is included.

state of course has no sense without post_logout_redirect_uri.

Yes, without id_token_hint you should show the logout dialog. You can when it is present.

What I am just saying is that it is unnecessary to talk about OP and RP here. Does it really matter who initializes the logout? And yes, the spec allows RP to initialize it without id_token_hint. The flow is then the same as what you currently call the OP flow. So this distinction is unnecessary.

I see, now it makes sense :) Would you be open to contribute a docs change to clarify that?

I can add it to my TODO. :-)

Was this page helpful?
0 / 5 - 0 ratings