OIDC Backchannel Logout does not allow logout tokens having typ
header of logout+jwt
#15003
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: enhancement
A general enhancement
Milestone
Describe the bug
OIDC Backchannel Logout does not allow logout tokens having
typ
header oflogout+jwt
. By default the logoutTokenDecoderFactory creates a decoder that only allowsnull
orJWT
and this logoutTokenDecoderFactory doesn't seem to be easily configurable using the DSL.In the OpenID Connect Back-Channel Logout specification it is recommended that the
typ
Header Parameter is set with a value oflogout+jwt
.To Reproduce
Have an identity provider send a back-channel logout request to the Spring backend with a logout token with
typ
header oflogout+jwt
instead ofJWT
.An error
[invalid_request] An error occurred while attempting to decode the Jwt: JOSE header typ (type) logout+jwt not allowed
occurs.Expected behavior
The OIDC Backchannel Logout should by default accept and process tokens having
typ
header oflogout+jwt
.The text was updated successfully, but these errors were encountered: