Replies: 1 comment 1 reply
-
|
That's an interesting mismatch indeed. I would argue that since the spec has a |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I'm using OpenAM 6.5.3. You can set ID Token encryption on/off, but not for logon and logout separate. So both on or both off.. And BTW, encryption off is a security issue anyways. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I'm using signed and encrypted ID Tokens. At logout, the id_token is used for the id_token_hint and send from the RP to the OP. The id_token_hint value is identical to the id_token (verified with tracer). The OP fails to decrypt this id_token_hint, since it expects the id_token_hint to be encrypted by the client or to be non-encrypted. When using non-encrypted ID Tokens, logout works. SSO works with both encrypted and non-encrypted ID Tokens. From the specification:
If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.
Using mod_auth_openidc.x86_64 version 2.4.6-1 on RHEL 7.9 with Apache 2.4.6-97.
Does anybody got logout working with encrypted ID Token?
Frank
Beta Was this translation helpful? Give feedback.
All reactions