Make ADFS OAuth2 Logout More Secure and Practical
Server2016/ADFS 4.0 - OAuth2 Logout endpoint requires idtokenhint before it redirects a user back to the RP. This is good however the value used for the idtokenhint is original id_token issued at the time of sign in. This is not good for few reasons:
In a server-side app, idtoken is used at the time of sign-in and claims are issued from the idtoken which gets saved to the session cookie. After the sign-in step, there's no use for the original idtoken. Now with idtoken being required for the Logout request, we have to store the id_token in the session cookie as well making it double in size.
With oauth2/logout being a GET per the spec, and idtokenhint having the original id_token, it is getting recorded in browser history and other log files. GET parameters are typically considered non-sensitive and now there's a chance that someone could use it to do bad things.
Based on the number of claims being issued by ADFS, the size of the id_token can be large in size to a point that some browsers will not support the length of the request. This will lead to poor user experience and broken logout functionality.
Therefore, I suggest you use a different value - some hash or some other value (much smaller in size) that ADFS can trust and validate when given back in a oauth2/logout request (in idtokenhint parameter).
Then you can provide that value as an attribute in the id_token at the time of singing in. Apps can extract that value and store in the session to be used at the time of logout.
Rasitha Wijesinghe commented
FYI - there's an open proposal to OpenID spec to account for this:
Michael Hall commented
I work at JPMC and we have 2,500 apps on ADFS and I know all about this and we suggest this 4 shizzle. Also you need to be able to encrypt the id_token with OIDC with ADFS.