LogoutTokenValidator should optionally accept "typ":"JWT" (and possibly others)

Issue #465 resolved
Thomas Broyer created an issue

LogoutTokenValidator currently (in version 11.10.1) conditionally accepts logout tokens missing a “typ”, but if present requires that its value is “logout+jwt”.

While OIDC Backchannel Logout RECOMMENDS that logout tokens are explicitly typed, there are deployments out there that use “typ”:”JWT” (specifically, Keycloak: https://github.com/keycloak/keycloak/issues/28939)

As a workaround, I copy/pasted the LogoutTokenValidator into my project (without its create() static factory as it depends on package-local static factory methods from IDTokenValidator) and made it accept both “JWT” and “logout+jwt” when the validator doesn’t require typed tokens (in other words, accepts “typ”:”JWT” whenever it also accepts a missing “typ”).

Comments (3)

  1. Yavor Vasilev

    We are going to treat the “typ”:”JWT” as a JWT without a type.

    The explicit typing of logout JWTs is a good practise. ID tokens should have been explicitly typed also. A major omission in OIDC. Because of the lack of explicit typing of ID tokens, a logout JWT can be taken and potentially presented an ID token.

  2. Log in to comment