Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expired ID tokens are rejected at the authorization server on an RP-initiated logout #1440

Closed
sjohnr opened this issue Nov 7, 2023 · 1 comment
Closed

Expired ID tokens are rejected at the authorization server on an RP-initiated logout #1440

sjohnr opened this issue Nov 7, 2023 · 1 comment
Assignees
@jgrandja
Labels
type: bug A general bug
Milestone
1.1.4

Comments

@sjohnr
Copy link
Member

sjohnr commented Nov 7, 2023

Describe the bug

Expired ID tokens are rejected at the authorization server on an RP-initiated logout.

To Reproduce

Using the included samples:

  1. Log in with the client using OIDC.
  2. Wait 30 minutes.
  3. Log out using RP-initiated logout and receive a 400 error for id_token_hint parameter.

Expected behavior

Per the OpenID Connect RP-Initiated Logout 1.0 specification:

The OP SHOULD accept ID Tokens when the RP identified by the ID Token’s aud claim and/or sid claim has a current session or had a recent session at the OP, even when the exp time has passed.
@sjohnr sjohnr added the type: bug A general bug label Nov 7, 2023
@maradanasai
Copy link

Hi @sjohnr Thanks for reporting this. I'm able to reproduce this, thought of reporting it here

@jgrandja jgrandja added this to the 1.1.4 milestone Nov 25, 2023
@jgrandja jgrandja self-assigned this Dec 12, 2023
@jgrandja jgrandja moved this to In Progress in Spring Security Team Dec 12, 2023
@jgrandja jgrandja mentioned this issue Dec 12, 2023
Closed
@jgrandja jgrandja moved this from In Progress to Done in Spring Security Team Dec 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
type: bug A general bug
Projects
Spring Security Team
Status: Done
Milestone
1.1.4
Development

No branches or pull requests
3 participants
@sjohnr @jgrandja @maradanasai