Describe the bug
OIDC Backchannel Logout does not allow logout tokens having typ header of logout+jwt. By default the logoutTokenDecoderFactory creates a decoder that only allows null or JWT and this logoutTokenDecoderFactory doesn't seem to be easily configurable using the DSL.
To Reproduce
Have an identity provider send a back-channel logout request to the Spring backend with a logout token with typ header of logout+jwt instead of JWT.
An error [invalid_request] An error occurred while attempting to decode the Jwt: JOSE header typ (type) logout+jwt not allowed occurs.
Expected behavior
The OIDC Backchannel Logout should by default accept and process tokens having typ header of logout+jwt.
Describe the bug OIDC Backchannel Logout does not allow logout tokens having
typ
header oflogout+jwt
. By default the logoutTokenDecoderFactory creates a decoder that only allowsnull
orJWT
and this logoutTokenDecoderFactory doesn't seem to be easily configurable using the DSL.In the OpenID Connect Back-Channel Logout specification it is recommended that the
typ
Header Parameter is set with a value oflogout+jwt
.To Reproduce Have an identity provider send a back-channel logout request to the Spring backend with a logout token with
typ
header oflogout+jwt
instead ofJWT
.An error
[invalid_request] An error occurred while attempting to decode the Jwt: JOSE header typ (type) logout+jwt not allowed
occurs.Expected behavior The OIDC Backchannel Logout should by default accept and process tokens having
typ
header oflogout+jwt
.