Describe the bug
I am trying to make the Back-Channel Logout work with an OIDC client registered with an id_token_signed_response_alg of ES512 but when my OP send the POST request to the client app, I get a com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found exception.
It looks like during the Back-Channel logout flow, the previously defined JwtDecoderFactory is not used to decode the Logout Token.
The Back-Channel logout works just fine when the client application is configured with an id_token_signed_response_alg of RS256 (default algorithm) and the custom JwtDecoderFactory removed.
I am using Spring Security 6.4.0-SNAPSHOT because some things weren't implemented in 6.3.
To Reproduce
Use a back-channel logout with an id_token_signed_response_alg different from RS256 (which is the default)
Expected behavior
The expected behaviour would be to have the back-channel logout work using the same id_token_signed_response_alg as the one for the login process, that was already customized.
Comment From: Indaplace
Hello @jzheaux,
Any update on this enhancement please ?
We can't use the logout back channel with any other algorithms than the default RS256 without redefine our own OidcBackChannelLogoutFilter implementation.
OidcBackChannelLogoutAuthenticationProvider has a setter for the JwtDecoderFactory<ClientRegistration> logoutTokenDecoderFactory but it isn't a bean so we can't update it with a ObjectPostProcessor method.
In the OpenID specification, there is the property backchannel_authentication_request_signing_alg_values_supported which list all algorithms supported by the OP.
Thanks for your help
Comment From: therepanic
Hi @jzheaux, I noticed this issue has been open for a while. If you are busy, I would be happy to help with the implementation.