Hi Piraveena, If RP not sending the *post_logout_redirect_uri* or its not matched with the OP registered *post_logout_redirect_uris, *(regardless of user denied the consent or approved) user would be redirected to some page in OP.
If the post_logout_redirect_uri is available and valid, IMO the better behaviour would be redirecting to the *post_logout_redirect_uri*. Here, user will be only logged out from the RP, but not the OP. PS: Saw the Thomas's reply halfway through, but continued sending this one. :) Thanks, On Mon, Mar 30, 2020 at 8:28 PM Piraveena Paralogarajah < [email protected]> wrote: > Hi all, > > According to the OIDC Session management > <https://openid.net/specs/openid-connect-session-1_0.html#RPLogout> spec, > > "At the logout endpoint, the OP SHOULD ask the End-User whether he wants > to log out of the OP as well. If the End-User says "yes", then the OP MUST > log out the End-User. > > It doesn't say how to handle when the user denies the logout consent. > > How to handle if the user denies the logout consent? What is the possible > approach? > Appreciate your suggestions on this. > > Thank you for your time, > Piraveena > > -- > *Piraveena Paralogarajah* > Undergraduate, > Department of Computer Science and Engineering, > University of Moratuwa. > > > *E-mail*: [email protected] > *Blog:* https://medium.com/@piraveenaparalogarajah > *LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah > <https://www.linkedin.com/in/piraveena-paralogarajah> > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > -- Regards, *Darshana Gunawardana* https://www.linkedin.com/in/darshana-gunawardana-a23b6037/
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
