By: Doug Harris named 30 Apr 2020 at 7:42 a.m. CDT

2 Responses
Doug Harris gravatar
## Expected Behaviour As per the [spec](https://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout): "OPs supporting HTTP-based logout need to keep track of the set of logged-in RPs so that they know what RPs to contact at their logout URIs to cause them to log out." oXauth should keep track of this information until either: a) the session is explicitly ended by calling the end_session endpoint, or b) the sessionIdLifetime expires. ## Actual Behaviour oxAauth loses track of the set of logged-in RPs if a re-authentication is performed as a result of receiving an authentication request specifying prompt=login, or max-age=n where n has expired. ## Steps to Reproduce 1. Log in from RP 1 2. Log in from RP 2 with prompt=login 3. Call the end_session endpoint 4. oxAuth produces a logout propagation page containing an iFrame for RP2, but not for RP1.

By Michael Schwartz Account Admin 30 Apr 2020 at 8:50 a.m. CDT

Michael Schwartz gravatar
Good feedback. We'll confirm this on our side and open an issue in the oxAuth github if we can confirm.

By Michael Schwartz Account Admin 05 May 2020 at 12:29 p.m. CDT

Michael Schwartz gravatar
We have confirmed the issue. I moved it verbatim to Github [oxauth-1341](https://github.com/GluuFederation/oxAuth/issues/1341) We will try to get a fix in for version 4.2. OIDF also missed this use case in their [logout coformance profile](https://openid.net/certification/#Logout_OPs)!