When trying to log out after updating the access token, I get the error: 400 Bad request - invalid id_token_hint
. The authorization server uses JdbcOAuth2AuthorizationService. Therefore, I see that the client token (oidc_id_token_value
) is updated along with the access token, but the client (spring-oauth2-client + gateway) does not update this token. Please tell me how to update this token on the client or make it so that the authorization server does not update it. And in general, what is this token oidc_id_token/id_token_hint, I could not find information about it in spring. I would be grateful for any help and thanks in advance!
When configuring the logout I used this link. So far I see only one solution - write a custom token repository that will not update the client token(oidc_id_token) field. But I think this is a bad solution. And I still don't understand how this happens and why, because it hasn't expired yet
UPDATE:
I found several similar links to my problem, but all I understood from them is that the problem is not solved. Maybe it will be useful to someone:
what is this token oidc_id_token/id_token_hint
The id_token_hint
is a recommended parameter of the logout request sent to the authorization server, as defined in the RP-Initiated Logout spec.
write a custom token repository that will not update the client token(oidc_id_token) field. But I think this is a bad solution.
Yes, it is a bad solution. It would be very awkward for an authorization server to issue expired tokens.
As with all JWTs, ID tokens expire - even if their lifetime is usually longer than access tokens one. So when tokens are refreshed, all of it should be (all but the refresh token if you want to force a new login after the original refresh token expire). The RP-Initiated Logout spec states that the authorization server SHOULD accept an expired id_token_hint
, which means that it is recommended it does, but you have no guarantee that it will. So just have the client send a valid ID token (with an exp
claim in the future).
but the client (spring-oauth2-client + gateway) does not update this token
It does, sometimes...
The tokens are refreshed when accessed using the (Reactive)OAuth2AuthorizedClientManager
. Unfortunately, the OidcClientInitiated(Server)LogoutSuccessHandler
internally uses the (Reactive)ClientRegistrationRepository
which doesn't refresh expired tokens. I opened a ticket to fix that.
In my applications:
/me
endpoint that reflects some access token claims - a minimum of username, authorities, and access token expiration