Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Backchannel Logout does not allow logout tokens having typ header of logout+jwt #15003

Closed
justin-tay opened this issue May 3, 2024 · 1 comment
Closed

OIDC Backchannel Logout does not allow logout tokens having typ header of logout+jwt #15003

justin-tay opened this issue May 3, 2024 · 1 comment
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
6.4.0-M1

Comments

@justin-tay
Copy link
Contributor

Describe the bug
OIDC Backchannel Logout does not allow logout tokens having typ header of logout+jwt. By default the logoutTokenDecoderFactory creates a decoder that only allows null or JWT and this logoutTokenDecoderFactory doesn't seem to be easily configurable using the DSL.

In the OpenID Connect Back-Channel Logout specification it is recommended that the typ Header Parameter is set with a value of logout+jwt.

To Reproduce
Have an identity provider send a back-channel logout request to the Spring backend with a logout token with typ header of logout+jwt instead of JWT.

An error [invalid_request] An error occurred while attempting to decode the Jwt: JOSE header typ (type) logout+jwt not allowed occurs.

Expected behavior
The OIDC Backchannel Logout should by default accept and process tokens having typ header of logout+jwt.
@justin-tay justin-tay added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 3, 2024
@sjohnr sjohnr added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label May 9, 2024
@jzheaux jzheaux removed the status: waiting-for-triage An issue we've not yet triaged label May 31, 2024
@jzheaux jzheaux added this to the 6.4.0-M1 milestone May 31, 2024
@jzheaux jzheaux added type: enhancement A general enhancement and removed type: bug A general bug labels May 31, 2024
@jzheaux
Copy link
Contributor

jzheaux commented May 31, 2024

Thanks for the report, @justin-tay.

Since this is not required by the spec, but only recommended, I've published this to main and not backported it to 6.2.x, simply to keep the maintenance branch changes as small as possible. Please let me know, though, if this causes an issue, and we can take another look together at backporting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
Spring Security Team
Status: No status
Milestone
6.4.0-M1
Development

No branches or pull requests
3 participants
@jzheaux @sjohnr @justin-tay