Describe the bug
OIDC Backchannel Logout does not allow logout tokens having typ header of logout+jwt. By default the logoutTokenDecoderFactory creates a decoder that only allows null or JWT and this logoutTokenDecoderFactory doesn't seem to be easily configurable using the DSL.
To Reproduce
Have an identity provider send a back-channel logout request to the Spring backend with a logout token with typ header of logout+jwt instead of JWT.
An error [invalid_request] An error occurred while attempting to decode the Jwt: JOSE header typ (type) logout+jwt not allowed occurs.
Expected behavior
The OIDC Backchannel Logout should by default accept and process tokens having typ header of logout+jwt.
Describe the bug OIDC Backchannel Logout does not allow logout tokens having
typheader oflogout+jwt. By default the logoutTokenDecoderFactory creates a decoder that only allowsnullorJWTand this logoutTokenDecoderFactory doesn't seem to be easily configurable using the DSL.In the OpenID Connect Back-Channel Logout specification it is recommended that the
typHeader Parameter is set with a value oflogout+jwt.To Reproduce Have an identity provider send a back-channel logout request to the Spring backend with a logout token with
typheader oflogout+jwtinstead ofJWT.An error
[invalid_request] An error occurred while attempting to decode the Jwt: JOSE header typ (type) logout+jwt not allowedoccurs.Expected behavior The OIDC Backchannel Logout should by default accept and process tokens having
typheader oflogout+jwt.