Allow option of using client_id instead of id_token_hint with RP-initiated logout in brokered IDP config/call. #27281
Labels
area/identity-brokering
kind/enhancement
Categorizes a PR related to an enhancement
priority/important
Must be worked on very soon
release/24.0.0
team/core-iam
team/rh-iam
Description
Reported originally by Chris Dolphy:
Allow option of sending client_id instead of id_token_hint in Identity Provider config/calls.
Currently, id_token_hint is always sent. However, Login.gov does not support sending id_token_hint in logout. When id_token_hint is sent it gives an error screen that this is not allowed an to send client_id instead. This means that it's not possible to integrate to Login.gov as an identity provider. Here's the docs showing the options they allow:
https://developers.login.gov/oidc/logout/
and the developer support/FAQ also addresses this:
https://developers.login.gov/support/
I'll also attach a screenshot of the error
Note that Login.gov is a US government centralized login and is a critical identity provider for US public sector installs. https://en.wikipedia.org/wiki/Login.gov For this reason I think we need to treat this with a high priority.
As far as implementation, I think this is mostly a change to org.keycloak.broker.oidc.OIDCIdentityProvider and the IDP configuration to allow an option to not use id_token_hint and send client_id.
Discussion
No response
Motivation
No response
Details
No response
The text was updated successfully, but these errors were encountered: