You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem you're having? Please describe.
The current SDK does not support a direct back-channel logout mechanism for OpenID Connect 1.0. This limitation makes it difficult to securely log out users across multiple Relying Parties (RPs) without depending on the User Agent. The reliance on front-channel logout methods can lead to inconsistencies and potential security vulnerabilities, as the User Agent may not reliably propagate logout requests to all RPs.
Describe the solution you'd like
I would like the SDK to include support for a direct back-channel logout mechanism for OpenID Connect 1.0. This would allow the SDK to facilitate secure and consistent communication between the OpenID Provider (OP) and the Relying Parties (RPs) during logout events, without involving the User Agent. Implementing this feature would enhance the reliability and security of the logout process in applications using the SDK.
Describe alternatives you've considered
An alternative is to continue using the existing front-channel logout mechanism within the SDK, where the User Agent is used to relay logout requests from the OP to the RPs. However, this approach is less secure and can result in unreliable logout behavior, especially in cases where the User Agent does not effectively communicate the logout request to all RPs.
Additional context
Adding support for a back-channel logout mechanism in the SDK would align with the security standards of OpenID Connect, offering developers a more robust tool for managing user sessions. This feature would ensure a more reliable and secure logout process across multiple RPs, which is essential for maintaining high security and user trust in applications built with the SDK.
Is your feature request related to a problem you're having? Please describe.
The current SDK does not support a direct back-channel logout mechanism for OpenID Connect 1.0. This limitation makes it difficult to securely log out users across multiple Relying Parties (RPs) without depending on the User Agent. The reliance on front-channel logout methods can lead to inconsistencies and potential security vulnerabilities, as the User Agent may not reliably propagate logout requests to all RPs.
Describe the solution you'd like
I would like the SDK to include support for a direct back-channel logout mechanism for OpenID Connect 1.0. This would allow the SDK to facilitate secure and consistent communication between the OpenID Provider (OP) and the Relying Parties (RPs) during logout events, without involving the User Agent. Implementing this feature would enhance the reliability and security of the logout process in applications using the SDK.
Describe alternatives you've considered
An alternative is to continue using the existing front-channel logout mechanism within the SDK, where the User Agent is used to relay logout requests from the OP to the RPs. However, this approach is less secure and can result in unreliable logout behavior, especially in cases where the User Agent does not effectively communicate the logout request to all RPs.
Additional context
Adding support for a back-channel logout mechanism in the SDK would align with the security standards of OpenID Connect, offering developers a more robust tool for managing user sessions. This feature would ensure a more reliable and secure logout process across multiple RPs, which is essential for maintaining high security and user trust in applications built with the SDK.
Cross-posted to the Android SDK.
The text was updated successfully, but these errors were encountered: