OIDC Front-Channel Logout not adhering to spec

Jens Borgland 11 Reputation points
2020-03-05T15:02:35.727+00:00

I've found a couple of bugs in the Azure AD implementation of OpenID Connect Front-Channel Logout. Since it's a bit unclear (to me) how bugs should be reported I posted this in the Feedback portal a while ago but it seems like things reported here gets attention quicker.

Background

Azure AD supports OpenID Connect Front-Channel Logout. This is not really apparent from the documentation, but it appears to be what the configured Logout URL of a registered app is used for and the OIDC Discovery Documents clearly states frontchannel_logout_supported:true.

Problem 1: No iss parameter

It however appears to always send a sid parameter (which it may) but without sending an iss parameter (which the specification states is required if the sid parameter is included). This is consistent with the OpenID Connect HTTP-Based Logout spec (and I notice that the Discovery document also states http_logout_supported:true - which is from the old specification draft) but not with the OpenID Connect Front-Channel Logout specification that superseeded it.

The reason why the iss must be included is that the sid is only guaranteed to be unique in the context of a particular issuer.

From the spec (https://openid.net/specs/openid-connect-frontchannel-1_0.html#RPLogout):

The OP MAY add these query parameters when rendering the logout URI, and if either is included, both MUST be:

iss Issuer Identifier for the OP issuing the front-channel logout request.

sid Identifier for the Session.

Problem 2: no sid in ID token

Although the front-channel logout request seemingly always contains a sid parameter the ID token by default does not. It's possible to get it to (by adding it as an optional claim in the the Token configuration section of the app configuration) but if it's not included in the ID token then it should not be part of the logout request either.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,180 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 35,806 Reputation points Microsoft Employee
    2020-03-12T22:36:03.537+00:00

    Thank you! I have shared these with the product team and will post an update when I have heard back.