-
Bug
-
Resolution: Done
-
Undefined
-
None
-
None
-
False
-
-
False
-
-
Before reporting an issue
[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
When using backchannel logout, the sent logout token does not contain the required exp claim.
I observed this while using a Quarkus-based application with having backchannel configured. Quarkus complains, when receiving the backchannel request:
```
Back channel logout request for the tenant Default received
Verification of the token issued to client shop has failed: No Expiration Time (exp) claim present.
Back channel logout token is invalid
```
So, Quarkus is properly implemented by following OIDC Backchannel Logout spec, chapter 2.4, but Keycloak doesn't send the exp claim.
Version
23.0.3
Expected behavior
The logout token must contain the exp claim, as mentioned in the OIDC Backchannel Logout spec, chapter 2.4
Actual behavior
The logout token does NOT contain the exp claim.
Here's a dump of a current logout token payload:
```
{
"iat": 1703156525,
"jti": "a2836698-7660-44e8-a9f1-d27d8514b311",
"iss": "http://localhost:8080/realms/bookshop",
"aud": "shop",
"sub": "a6df2d13-8e94-404b-addc-53e248afc95c",
"typ": "Logout",
"sid": "2b6eaf9b-990c-4733-a048-b8e8f28612b3",
"events":
"http://schemas.openid.net/event/backchannel-logout": {}
}
}
```
How to Reproduce?
Configure any client with a proper backchannel logout url, login/logout with any user from Keycloak and observe/investigate the sent logout token.
Anything else?
No response
- links to