OpenID Connect Oauth2 Logout Token not using custom jwt alg #15273
Assignees
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: enhancement
A general enhancement
Milestone
Comments
adrien-dedecker
added
status: waiting-for-triage
sjohnr
added
the
in: oauth2
jzheaux
added
type: enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
I am trying to make the Back-Channel Logout work with an OIDC client registered with an
id_token_signed_response_algof ES512 but when my OP send the POST request to the client app, I get acom.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) foundexception.It looks like during the Back-Channel logout flow, the previously defined JwtDecoderFactory is not used to decode the Logout Token.
The Back-Channel logout works just fine when the client application is configured with an
id_token_signed_response_algof RS256 (default algorithm) and the custom JwtDecoderFactory removed.I am using Spring Security 6.4.0-SNAPSHOT because some things weren't implemented in 6.3.
To Reproduce
Use a back-channel logout with an
id_token_signed_response_algdifferent from RS256 (which is the default)Expected behavior
The expected behaviour would be to have the back-channel logout work using the same
id_token_signed_response_algas the one for the login process, that was already customized.The text was updated successfully, but these errors were encountered: