Failure revoking tokens when calling revocation endpoint using client secret signed JWT #491
Comments
jfhenriques
changed the title
|
Unfortunately this is one of the areas where implementations are allowed (and expected?) to be different. The client-jwt code in lua-resty-openidc is based on the requirements in the OpenID Connect spec which says "The Audience SHOULD be the URL of the Authorization Server's Token Endpoint. ". The OpenID spec is based on RFC 7523 which explicitly mentions this needs to be negotiated "out of band" in section 5. So this looks like something we'll need to make configurable. Of course the OpenID Connect spec only talks about the token endpoint, not the revocation endpoint - which likely means this is even less standardized than the format to use for the token endpoint. |
I also didn't find anything helpful about the revocation endpoints in the same RFC, nor did I find anything in Keycloak's documentation. Thanks for the suggestion of making it configurable. |
Environment
Expected behaviour
logout should revoke access and refresh tokens successfully with keycloak when using client secret signed JWT.
Actual behaviour
Revoking access and refresh tokens fails because signed JWT with client secret's audience is filled with revoke endpoint, instead of proper realm issuer according to keycloak.
Minimized example
Configuration and NGINX server log files
2023/08/16 22:52:48 [error] 7#7: *3740 [lua] openidc.lua:1240: openidc_revoke_token(): revocation of access_token unsuccessful: response indicates failure, status=400, body={"error":"unauthorized_client","error_description":"Client authentication with client secret signed JWT failed: Token audience doesn't match domain. Realm issuer is 'https://<redacted>/realms/<realm_name>' but audience from token is '[https://<redacted>/realms/<realm_name>/protocol/openid-connect/revoke]'"},The text was updated successfully, but these errors were encountered: