Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow option of using client_id instead of id_token_hint with RP-initiated logout in brokered IDP config/call. #27281

Closed
mposolda opened this issue Feb 26, 2024 · 0 comments · Fixed by #27295
Closed

Allow option of using client_id instead of id_token_hint with RP-initiated logout in brokered IDP config/call. #27281

mposolda opened this issue Feb 26, 2024 · 0 comments · Fixed by #27295
Assignees
@pedroigor
Labels
area/identity-brokering kind/enhancement Categorizes a PR related to an enhancement priority/important Must be worked on very soon release/24.0.0 team/core-iam team/rh-iam

Comments

@mposolda
Copy link
Contributor

Description

Reported originally by Chris Dolphy:

Allow option of sending client_id instead of id_token_hint in Identity Provider config/calls.

Currently, id_token_hint is always sent. However, Login.gov does not support sending id_token_hint in logout. When id_token_hint is sent it gives an error screen that this is not allowed an to send client_id instead. This means that it's not possible to integrate to Login.gov as an identity provider. Here's the docs showing the options they allow:
https://developers.login.gov/oidc/logout/

and the developer support/FAQ also addresses this:

https://developers.login.gov/support/

I'll also attach a screenshot of the error

Note that Login.gov is a US government centralized login and is a critical identity provider for US public sector installs. https://en.wikipedia.org/wiki/Login.gov For this reason I think we need to treat this with a high priority.

As far as implementation, I think this is mostly a change to org.keycloak.broker.oidc.OIDCIdentityProvider and the IDP configuration to allow an option to not use id_token_hint and send client_id.

Discussion

No response

Motivation

No response

Details

No response
@mposolda mposolda added kind/enhancement Categorizes a PR related to an enhancement status/triage area/identity-brokering labels Feb 26, 2024
@pedroigor pedroigor added priority/important Must be worked on very soon and removed status/triage labels Feb 26, 2024
pedroigor added a commit to pedroigor/keycloak that referenced this issue Feb 26, 2024
@pedroigor
Allow setting if both 'client_id' and 'id_token_hint' params should b…
fc0388b 
…e sent in logout requests

Closes keycloak#27281
pedroigor added a commit to pedroigor/keycloak that referenced this issue Feb 26, 2024
@pedroigor
Allow setting if both 'client_id' and 'id_token_hint' params should b…
d90f601 
…e sent in logout requests

Closes keycloak#27281
@pedroigor pedroigor mentioned this issue Feb 26, 2024
Merged
@pedroigor pedroigor self-assigned this Feb 26, 2024
pedroigor added a commit to pedroigor/keycloak that referenced this issue Feb 26, 2024
@pedroigor
Allow setting if both 'client_id' and 'id_token_hint' params should b…
349a7c0 
…e sent in logout requests

Closes keycloak#27281

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
pedroigor added a commit that referenced this issue Feb 27, 2024
@pedroigor
Allow setting if both 'client_id' and 'id_token_hint' params should b…
0c91fce 
…e sent in logout requests

Closes #27281

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
ahus1 pushed a commit to ahus1/keycloak that referenced this issue Mar 22, 2024
@pedroigor @ahus1
Allow setting if both 'client_id' and 'id_token_hint' params should b…
49a9e18 
…e sent in logout requests

Closes keycloak#27281

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pedroigor pedroigor

Labels
area/identity-brokering kind/enhancement Categorizes a PR related to an enhancement priority/important Must be worked on very soon release/24.0.0 team/core-iam team/rh-iam
Projects
None yet
Milestone
No milestone
2 participants
@pedroigor @mposolda