Closed onghwand closed 4 months ago
@onghwand
Is there any particular reason for implementing the code to throw an error when there is no
id_token_hint
?
As per spec, id_token_hint
is RECOMMENDED
, and the implementation of OidcLogoutAuthenticationProvider
requires the ID Token, as it relies on it to perform validation of iss
, aud
, sid
and exp
claims, as well as, post_logout_redirect_uri
parameter.
Quite honestly, I'm not sure why id_token_hint
is not REQUIRED
. However, we decided to make it REQUIRED
as per RECOMMENDED
.
I'm going to close this based on the explanation provided.
Expected Behavior When requesting a logout without an id_token_hint, logging out should be possible.
Current Behavior The current version encounters an error with the OidcLogoutAuthenticationConverter when attempting a logout request without an id_token_hint.
Context There is a test case for the RP Initiated Logout Profile regarding requests made without an id_token_hint.
In the OpenID Connect RP-Initiated Logout 1.0 document (https://openid.net/specs/openid-connect-rpinitiated-1_0.html ), the id_token_hint parameter is RECOMMENDED, but not mandatory.
I want to successfully execute the test case using the Spring Authorization Server library. Is there any particular reason for implementing the code to throw an error when there is no id_token_hint?
How about modifying the code as follows:
If you agree with my suggestion, I would like to contribute to the Spring Authorization Server library.