OpenID Connect Oauth2 Logout Token not using custom jwt alg

[adrien-dedecker]

Describe the bug
I am trying to make the Back-Channel Logout work with an OIDC client registered with an id_token_signed_response_alg of ES512 but when my OP send the POST request to the client app, I get a com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found exception.
It looks like during the Back-Channel logout flow, the previously defined JwtDecoderFactory is not used to decode the Logout Token.

The Back-Channel logout works just fine when the client application is configured with an id_token_signed_response_alg of RS256 (default algorithm) and the custom JwtDecoderFactory removed.

I am using Spring Security 6.4.0-SNAPSHOT because some things weren't implemented in 6.3.

To Reproduce
Use a back-channel logout with an id_token_signed_response_alg different from RS256 (which is the default)

Expected behavior
The expected behaviour would be to have the back-channel logout work using the same id_token_signed_response_alg as the one for the login process, that was already customized.

[Indaplace]

Hello @jzheaux,

Any update on this enhancement please ?

We can't use the logout back channel with any other algorithms than the default RS256 without redefine our own OidcBackChannelLogoutFilter implementation.

OidcBackChannelLogoutAuthenticationProvider has a setter for the JwtDecoderFactory<ClientRegistration> logoutTokenDecoderFactory but it isn't a bean so we can't update it with a ObjectPostProcessor method.

In the OpenID specification, there is the property backchannel_authentication_request_signing_alg_values_supported which list all algorithms supported by the OP.

Thanks for your help

[therepanic]

Hi @jzheaux, I noticed this issue has been open for a while. If you are busy, I would be happy to help with the implementation.