Hi all, As mentioned in the OpenID Connect Core specification [1], the ID Token is returned to the User Agent as a URI fragment in the redirect URL of the response in the Implicit Flow.
The server has no access to the ID Token, therefore the server will not be aware of any user session at the client side thereby making Backchannel logout [2] pointless. Should the ID Token be sent to the server for establishing a user session at the server? Or is backchannel logout for RPs using Implicit flow not necessary? Any input will be appreciated. [1] https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse <https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse> [2] https://openid.net/specs/openid-connect-backchannel-1_0.html <https://openid.net/specs/openid-connect-backchannel-1_0.html> Regards, -- *Ashen De Silva* Intern - Software Engineering WSO2, Inc. Mob: +94 71 349 8442 Web: http://wso2.com <https://us18.wso2con.com/?utm_source=emailsignature&utm_medium=email&utm_campaign=emailsignatureclick_events>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
