springoauth-2.0spring-oauth2spring-authorization-server

Spring OAuth2 client performs Back-Channel Logout with an expired ID token


When trying to log out after updating the access token, I get the error: 400 Bad request - invalid id_token_hint. The authorization server uses JdbcOAuth2AuthorizationService. Therefore, I see that the client token (oidc_id_token_value) is updated along with the access token, but the client (spring-oauth2-client + gateway) does not update this token. Please tell me how to update this token on the client or make it so that the authorization server does not update it. And in general, what is this token oidc_id_token/id_token_hint, I could not find information about it in spring. I would be grateful for any help and thanks in advance!

When configuring the logout I used this link. So far I see only one solution - write a custom token repository that will not update the client token(oidc_id_token) field. But I think this is a bad solution. And I still don't understand how this happens and why, because it hasn't expired yet

UPDATE:

I found several similar links to my problem, but all I understood from them is that the problem is not solved. Maybe it will be useful to someone:

  1. Issue in Spring Authorization Server and Spring Cloud Gateway refresh_token flow
  2. Spring Authorization server OIDC logout not working after refreshing token in Spring cloud gateway
  3. OIDC RP-initiated logout doesn't work once the first access token got refreshed

Solution

  • what is this token oidc_id_token/id_token_hint

    The id_token_hint is a recommended parameter of the logout request sent to the authorization server, as defined in the RP-Initiated Logout spec.

    write a custom token repository that will not update the client token(oidc_id_token) field. But I think this is a bad solution.

    Yes, it is a bad solution. It would be very awkward for an authorization server to issue expired tokens.

    As with all JWTs, ID tokens expire - even if their lifetime is usually longer than access tokens one. So when tokens are refreshed, all of it should be (all but the refresh token if you want to force a new login after the original refresh token expire). The RP-Initiated Logout spec states that the authorization server SHOULD accept an expired id_token_hint, which means that it is recommended it does, but you have no guarantee that it will. So just have the client send a valid ID token (with an exp claim in the future).

    but the client (spring-oauth2-client + gateway) does not update this token

    It does, sometimes...

    The tokens are refreshed when accessed using the (Reactive)OAuth2AuthorizedClientManager. Unfortunately, the OidcClientInitiated(Server)LogoutSuccessHandler internally uses the (Reactive)ClientRegistrationRepository which doesn't refresh expired tokens. I opened a ticket to fix that.

    In my applications: