aud claim in token revocation request uses token endpoint URI instead of revocation endpoint URI

[plecopt]

When handling a logout request to the OIDCRedirectURI, mod_auth_openidc sends the OIDC Provider a request to revoke the access token. The OP determines the aud claim in the request doesn't match the endpoint URI, and it rejects the request. The OP's revocation_endpoint differs from its token_endpoint, but the module uses the same aud for both.

For example, if the OP's openid-configuration includes these values:

  "token_endpoint":"https://example.com/op/profile/oidc/token",
  "revocation_endpoint":"https://example.com/op/profile/oauth2/revocation"

and mod_auth_openidc's OIDCProviderTokenEndpointAuth is set to client_secret_jwt, then mod_auth_openidc creates a JWT assertion containing this claim when handling the logout request:

"aud": "https://example.com/op/profile/oidc/token"

and POSTs it to https://example.com/op/profile/oauth2/revocation.

A scan of logout.c and profile.c suggests that oidc_logout_revoke_tokens populates oidc_proto_profile_token_endpoint_auth_aud using oidc_cfg_provider_token_endpoint_url_get(provider).

Can the module set the audience to the revocation_endpoint URI instead, for revocation requests? For the example above, this would be:

"aud": "https://example.com/op/profile/oauth2/revocation"

[zandbelt]

that seems like an omission indeed; support for setting the "aud" to the revocatoin endpoint value was added in: e8c0c8d and will be in the next release 2.4.18.1; until then you could disable token revocation upon logout by setting:

 SetEnvIfExpr true "OIDC_DONT_REVOKE_TOKENS_BEFORE_LOGOUT=true" 

[plecopt]

Excellent -- thanks Hans

[zandbelt]

this is now released in https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.18.1