Spring OAuth2 client performs Back-Channel Logout with an expired ID token

When trying to log out after updating the access token, I get the error: 400 Bad request - invalid id_token_hint. The authorization server uses JdbcOAuth2AuthorizationService. Therefore, I see that the client token (oidc_id_token_value) is updated along with the access token, but the client (spring-oauth2-client + gateway) does not update this token. Please tell me how to update this token on the client or make it so that the authorization server does not update it. And in general, what is this token oidc_id_token/id_token_hint, I could not find information about it in spring. I would be grateful for any help and thanks in advance!

When configuring the logout I used this link. So far I see only one solution - write a custom token repository that will not update the client token(oidc_id_token) field. But I think this is a bad solution. And I still don't understand how this happens and why, because it hasn't expired yet

UPDATE:

I found several similar links to my problem, but all I understood from them is that the problem is not solved. Maybe it will be useful to someone:

1. Issue in Spring Authorization Server and Spring Cloud Gateway refresh_token flow
2. Spring Authorization server OIDC logout not working after refreshing token in Spring cloud gateway
3. OIDC RP-initiated logout doesn't work once the first access token got refreshed

what is this token oidc_id_token/id_token_hint

The id_token_hint is a recommended parameter of the logout request sent to the authorization server, as defined in the RP-Initiated Logout spec.

write a custom token repository that will not update the client token(oidc_id_token) field. But I think this is a bad solution.

Yes, it is a bad solution. It would be very awkward for an authorization server to issue expired tokens.

As with all JWTs, ID tokens expire - even if their lifetime is usually longer than access tokens one. So when tokens are refreshed, all of it should be (all but the refresh token if you want to force a new login after the original refresh token expire). The RP-Initiated Logout spec states that the authorization server SHOULD accept an expired id_token_hint, which means that it is recommended it does, but you have no guarantee that it will. So just have the client send a valid ID token (with an exp claim in the future).

but the client (spring-oauth2-client + gateway) does not update this token

It does, sometimes...

The tokens are refreshed when accessed using the (Reactive)OAuth2AuthorizedClientManager. Unfortunately, the OidcClientInitiated(Server)LogoutSuccessHandler internally uses the (Reactive)ClientRegistrationRepository which doesn't refresh expired tokens. I opened a ticket to fix that.

In my applications:

• backends expose a /me endpoint that reflects some access token claims - a minimum of username, authorities, and access token expiration
• frontend applications schedule a new call to this endpoint just before access token expiration (within the last minute). This:
  • forces token refreshing. I never face the issue you report here, because all tokens are refreshed before they expire.
  • provides the frontend, at all times, with the same user access information as the resource server (resource servers take access control decisions based on the access token): if the roles are changed on the authorization server, it will take effect on resource server(s) when the access token is refreshed
  • keeps the OAuth2 client session alive, so that the user session is controlled only by the authorization server session.