- changed status to open
LogoutTokenValidator should optionally accept "typ":"JWT" (and possibly others)
Issue #465
resolved
LogoutTokenValidator currently (in version 11.10.1) conditionally accepts logout tokens missing a “typ”, but if present requires that its value is “logout+jwt”.
While OIDC Backchannel Logout RECOMMENDS that logout tokens are explicitly typed, there are deployments out there that use “typ”:”JWT” (specifically, Keycloak: https://github.com/keycloak/keycloak/issues/28939)
As a workaround, I copy/pasted the LogoutTokenValidator into my project (without its create() static factory as it depends on package-local static factory methods from IDTokenValidator) and made it accept both “JWT” and “logout+jwt” when the validator doesn’t require typed tokens (in other words, accepts “typ”:”JWT” whenever it also accepts a missing “typ”).
Comments (3)
-
-
We are going to treat the “typ”:”JWT” as a JWT without a type.
The explicit typing of logout JWTs is a good practise. ID tokens should have been explicitly typed also. A major omission in OIDC. Because of the lack of explicit typing of ID tokens, a logout JWT can be taken and potentially presented an ID token.
-
- changed status to resolved
Resolved here: ebd7de27368db1a36d97d2a929a483f6882172c3
LogoutTokenValidator should accept JWS header "typ":"JWT" - Log in to comment
