dopry
commented
9 months ago Can you confirm the expired token is being provided as an id_token_hint per 2. RP-Initiated Logout
RECOMMENDED. ID Token previously issued by the OP to the RP passed to the Logout Endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP.
When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token. The OP SHOULD accept ID Tokens when the RP identified by the ID Token's aud claim and/or sid claim has a current session or had a recent session at the OP, even when the exp time has passed. If the ID Token's sid claim does not correspond to the RP's current session or a recent session at the OP, the OP SHOULD treat the logout request as suspect, and MAY decline to act upon it.
it looks like https://github.com/jazzband/django-oauth-toolkit/blob/9aa27c7528cdeda0b85bac5a8a00b39d696a43f9/oauth2_provider/views/oidc.py#L238 is where this is happening.
Two things would cause that error...
1) We didn't find the token in the db using _load_id_token.
@smaris did you set OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS to True? We chose to treat expired tokens as suspect by default to be more 'secure' by default. Is the ID token being sent in the hint a JWT Identity Token and not an Opaque Token?
2) The issuer doesn't match
@smaris have you verified the iss claim in the provided hint?
Describe the bug When the IDToken is expired, revoked, malformed or invalid, it is not possble to logout and browser session will still exist.
To Reproduce We currently use
react-native-app-authfor authentication within a mobile app. Sometimes we get the message that the IDToken is expired, revoked, malformed or invalid. The logout is not possble because the session still exists.Expected behavior Django logout + post_logout_redirect_uri should still be possible.
Version 2.3.0