Possible to spoof logout?

[plinss]

From the TAG Review.

The logout process is somewhat vague, we were wondering if there's any authentication in the logout payload? The concern is random third parties being able to call the logout endpoint of an RP and log users out.

[cbiesinger]

This is about logoutRPs?

[plinss]

This is about the logout endpoint on the RP. E.g. can a random 3rd party call a RP's logout endpoint and log users out?

[cbiesinger]

Yes, we need to work on that. The thinking is two-fold:

• Only allow calling logoutRPs from an IDP's origin when the browser knows that there is a previous login from that IDP to that RP
• The endpoint should check for the "Sec-FedCM-CSRF" header

[plinss]

Both of those seem to be mitigated by the UA, what's stopping someone from simply using cURL, for example, to send logout requests to random RPs? I'm thinking about a DOS attack.

To mitigate against that the logout request would need to contain something unique to the session, or a token signed by the IDP.

[npm1]

Are you talking about the POST request on https://fedidcg.github.io/FedCM/#browser-api-idp-sign-out? This is a credentialed request (uses RP cookies), so seems hard to spoof? Perhaps I'm missing something.

[plinss]

I didn't see that it required the RP's cookies, should be ok then.

[samuelgoto]

I didn't see that it required the RP's cookies, should be ok then.

Correct.

Importantly, this is already a deployed practice in SAML and OIDC, so something that already exists that we are trying to preserve, rather than something that we are trying to introduce.

Will close this now as resolved, feel free to re-open if you need further clarification.