Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-758

[GHI#25753] Backchannel logout token is missing the "exp" claim

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      oidc

      Describe the bug

      When using backchannel logout, the sent logout token does not contain the required exp claim.

      I observed this while using a Quarkus-based application with having backchannel configured. Quarkus complains, when receiving the backchannel request:
      ```
      Back channel logout request for the tenant Default received
      Verification of the token issued to client shop has failed: No Expiration Time (exp) claim present.
      Back channel logout token is invalid
      ```
      So, Quarkus is properly implemented by following OIDC Backchannel Logout spec, chapter 2.4, but Keycloak doesn't send the exp claim.

      Version

      23.0.3

      Expected behavior

      The logout token must contain the exp claim, as mentioned in the OIDC Backchannel Logout spec, chapter 2.4

      Actual behavior

      The logout token does NOT contain the exp claim.

      Here's a dump of a current logout token payload:
      ```
      {
      "iat": 1703156525,
      "jti": "a2836698-7660-44e8-a9f1-d27d8514b311",
      "iss": "http://localhost:8080/realms/bookshop",
      "aud": "shop",
      "sub": "a6df2d13-8e94-404b-addc-53e248afc95c",
      "typ": "Logout",
      "sid": "2b6eaf9b-990c-4733-a048-b8e8f28612b3",
      "events":

      { {code}

      "http://schemas.openid.net/event/backchannel-logout": {}

      
      

      }
      }
      ```

      How to Reproduce?

      Configure any client with a proper backchannel logout url, login/logout with any user from Keycloak and observe/investigate the sent logout token.

      Anything else?

      No response

              Unassigned Unassigned
              pskopek@redhat.com Peter Skopek
              Keycloak Core Features
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: