Hi Piraveens, The consent we talk here is about, removing whole OP session; not about whole logout process initiated from the RP. By having logout process up to this level means, user has already passed with any consent\confirmation on RP side on the logout flow. So at this point, user should get logged out from RP, but user still have the option (only) to keep OP session or remove OP session, and thats the OP consent is for.
So, denying the OP consent shouldn't consider that as logout failure case.. Rather user opted to keep OP side session live and only wanted to remove RP session. Depending on the OP implementation, it might have to clear OP session information related to this RP, like removing this RP from the session participation list and update obps session states etc.. Thanks, On Tue, Mar 31, 2020 at 9:17 AM Piraveena Paralogarajah < [email protected]> wrote: > Hi Thomas Broyer and Darshana, > > Thanks for your response. > > According to the spec > <https://openid.net/specs/openid-connect-session-1_0.html#RPLogout>, the > user agent needs to be redirected to post_logout_redirect_uri by the OP > after logout is performed. > > post_logout_redirect_uriOPTIONAL. URL to which the RP is requesting that > the End-User's User Agent be redirected after a logout has been performed. > The value MUST have been previously registered with the OP, either using > the post_logout_redirect_uris Registration parameter or via another > mechanism. If supplied, the OP SHOULD honor this request following the > logout. > > But in this case, the user denies the logout consent and logout didn't > happen in the OP side. So it is a correct approach to redirect to > post_logout_redirect_uri as logout failed in OP side? > > Thanks, > Piraveena > > On Mon, 30 Mar 2020 at 21:53, Darshana Gunawardana <[email protected]> > wrote: > >> Hi Piraveena, >> >> If RP not sending the *post_logout_redirect_uri* or its not matched with >> the OP registered *post_logout_redirect_uris, *(regardless of user >> denied the consent or approved) user would be redirected to some page in OP. >> >> If the post_logout_redirect_uri is available and valid, IMO the better >> behaviour would be redirecting to the *post_logout_redirect_uri*. Here, >> user will be only logged out from the RP, but not the OP. >> >> PS: Saw the Thomas's reply halfway through, but continued sending this >> one. :) >> >> Thanks, >> >> On Mon, Mar 30, 2020 at 8:28 PM Piraveena Paralogarajah < >> [email protected]> wrote: >> >>> Hi all, >>> >>> According to the OIDC Session management >>> <https://openid.net/specs/openid-connect-session-1_0.html#RPLogout> >>> spec, >>> >>> "At the logout endpoint, the OP SHOULD ask the End-User whether he wants >>> to log out of the OP as well. If the End-User says "yes", then the OP MUST >>> log out the End-User. >>> >>> It doesn't say how to handle when the user denies the logout consent. >>> >>> How to handle if the user denies the logout consent? What is the >>> possible approach? >>> Appreciate your suggestions on this. >>> >>> Thank you for your time, >>> Piraveena >>> >>> -- >>> *Piraveena Paralogarajah* >>> Undergraduate, >>> Department of Computer Science and Engineering, >>> University of Moratuwa. >>> >>> >>> *E-mail*: [email protected] >>> *Blog:* https://medium.com/@piraveenaparalogarajah >>> *LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah >>> <https://www.linkedin.com/in/piraveena-paralogarajah> >>> >>> _______________________________________________ >>> specs mailing list >>> [email protected] >>> http://lists.openid.net/mailman/listinfo/openid-specs >>> >> >> >> -- >> Regards, >> *Darshana Gunawardana* >> https://www.linkedin.com/in/darshana-gunawardana-a23b6037/ >> > > > -- > *Piraveena Paralogarajah* > > > *E-mail*: [email protected] > *Blog:* https://medium.com/@piraveenaparalogarajah > *LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah > <https://www.linkedin.com/in/piraveena-paralogarajah> > > -- Regards, *Darshana Gunawardana* https://www.linkedin.com/in/darshana-gunawardana-a23b6037/
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
