Hi Nat Sakimura, Thanks for your suggestion. I have posted this to [email protected]
Thanks, Piraveena On Thu, 9 Jul 2020 at 12:37, Nat Sakimura <[email protected]> wrote: > Hi > > It might be better for you to post this to the OpenID AB/C WG. There are > more experts there. The list address is > > [email protected] > > You need to sign the IPR agreement and subscribe to the list before > posting but the IPR agreement is asking just you so not sure other > implenters in implementing the spec so it shouldn't be hard. > > Best, > > Nat Sakimura > Chairman, OpenID Foundation > https://nat.sakimura.org > 2020年7月9日 14:41 +0900、Piraveena Paralogarajah <[email protected] > >のメール: > > Hi all, > > We have a requirement for using encrypted_id_token which is signed using > the application's certificate. But we have some issues when using > encrypted_id_tokens during OIDC logout. > . > Use Case is the following. > > 1. An application is using encrypted id_token due to security measures. > This id_token is encrypted using the application's certificate. > 2. Once log out from the application it needs to redirect the user to end > application > 3. To achieve 2; the application must send the plain text id_token as > id_token_hint. Because the IDP is using td_token to identify the > application. > > We could find the following possible solutions > > 1. Make id_token_hint is not required to redirect to the application. But > we use id_token_hint to identify the RP-initiated-logout. From the > id_token_hint, we derive the client_id. What is the best approach to > identify the client during logout? > > 2. Ask from application to encrypt the decrypted token from > idp-certificate. Then in the logout flow, idp decrypts & verifies the > token. This adds more overhead for application well. > > Any thoughts on how to handle encrypted id_token_hint for OIDC logout? > > Appreciate your suggestions on this. > > Thank you for your time, > Piraveena > -- > *Piraveena Paralogarajah* > > *Blog:* https://medium.com/@piraveenaparalogarajah > *LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah > <https://www.linkedin.com/in/piraveena-paralogarajah> > > _______________________________________________ > Code mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-code > > -- *Piraveena Paralogarajah* *Blog:* https://medium.com/@piraveenaparalogarajah *LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah <https://www.linkedin.com/in/piraveena-paralogarajah>
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
