Hi all, We have a requirement for using encrypted_id_token which is signed using the application's certificate. But we have some issues when using encrypted_id_tokens during OIDC logout. . Use Case is the following.
1. An application is using encrypted id_token due to security measures. This id_token is encrypted using the application's certificate. 2. Once log out from the application it needs to redirect the user to end application 3. To achieve 2; the application must send the plain text id_token as id_token_hint. Because the IDP is using td_token to identify the application. We could find the following possible solutions 1. Make id_token_hint is not required to redirect to the application. But we use id_token_hint to identify the RP-initiated-logout. From the id_token_hint, we derive the client_id. What is the best approach to identify the client during logout? 2. Ask from application to encrypt the decrypted token from idp-certificate. Then in the logout flow, idp decrypts & verifies the token. This adds more overhead for application well. Any thoughts on how to handle encrypted id_token_hint for OIDC logout? Appreciate your suggestions on this. Thank you for your time, Piraveena -- *Piraveena Paralogarajah* *Blog:* https://medium.com/@piraveenaparalogarajah *LinkedIn*: https://www.linkedin.com/in/piraveena-paralogarajah <https://www.linkedin.com/in/piraveena-paralogarajah>
_______________________________________________ specs mailing list sp...@lists.openid.net http://lists.openid.net/mailman/listinfo/openid-specs
