Help get this topic noticed by sharing it on Twitter, Facebook, or email.

Need a better way to Logout - Consider access_token as a token_hint

We need a better way to Logout

Problem: Given that id_token is really not used for anything other than initial sign-in on the client, to keep it around as "baggage" bloating ones cookie or session is a heavy price to pay in order to later Logout. (id_token_hint)

Consider: Logout to accept id_token or access_token as hint.

This at least is a partial solution. It doesn't help in cases where access tokens are not used, but many clients do store an access_token for API usage, and storing such is more worthwhile. Rather than force that client to store both id_token AND access_token, why not accept access_token as a logout hint? It too can validate which client is making the request, and therefore deliver the appropriate logout redirects.
1 person likes
this idea