OIDC Logout is not sending id_token_hint parameter"

Hi,
We have already set-up and wxiki instance using OpenID Connect as the authentication method. It works fine for login and for getting userInfo, but when we trying to do logout we get the following message:

error_description: "The endSession endpoint …id_token_hint parameter"
error: "bad_request"
HTTP Request: https://{domain}/{context}/oauth2/connect/endSession?post_logout_redirect_uri=https%3A%2F%2F{domain}%2Fxwikistg%2Fbin%2Fview%2FIntegraci%2525C3%2525B3n%252520continua%2F&client_id=quality)

Analysing request, it is true that id_token_hint parameter is not included and should be, but we don’t know how to configure xwiki in order to sent it

Instance versions are:

  • Xwiki : 15.10.8
  • OpenID Connect Authenticator:2.8.6

Configuration parameters

oidc.xwikiprovider=https://openampre/oauth2
oidc.endpoint.authorization=https://openampre/oauth2/authorize
oidc.endpoint.token=https://openampre/oauth2/access_token
oidc.endpoint.userinfo=https://openampre/oauth2/userinfo
oidc.endpoint.logout=https://openampre/oauth2/connect/endSession
oidc.scope=openid,profile,email
 oidc.endpoint.userinfo.method=POST
oidc.user.nameFormater=${oidc.issuer.host._clean}-${oidc.user.oidcuniqid._clean}
oidc.user.subjectFormater=${oidc.user.oidcuniqid}
oidc.user.mapping=subject=${oidc.user.sub}
oidc.user.mapping=preferred_username=${oidc.user.oidcuniqid}
oidc.idtokenclaims=
oidc.groups.claim=roles
oidc.groups.mapping=XWikiAllGroup=quality
oidc.groups.mapping=XWikiAdminGroup=quality-admin
oidc.groups.mapping=producion=producion
oidc.groups.allowed=quality
oidc.userinfoclaims=roles
oidc.clientid=quality
oidc.secret=XXX
oidc.endpoint.token.auth_method=client_secret_post
oidc.skipped=false

Thanks for your help.

Hi, I completely missed your message, sorry (someone else actually pointed me to it because of a similar problem).

I just released a 2.11.1 version of the OIDC authenticator, which always add the id_token_hint to the logout request. I hope it will help you too.

hi,
this fails on our installation where keycloak is used to authenticate xwiki users. on logout keycloak says “invalid parameter id_token_hint” and the logout doesn’t happen.

if i understand it correctly, the problem seems to be that keycloak expects an id token with a correct signature (probably even requiring the key to be signed by the keycloak instance itself). the id token passed from xwiki to keycloak has "alg": "none" in the headers. i think the original id token needs to be stored and passed back to keycloak during logout.

tested with xwiki 15.10.4 and openid connect authenticator 2.11.2

thanks for your help, any suggestions welcome

It’s the case, but indeed it’s the clear version which is kept and not the signed/encrypted one. I will store the real original one as is too and use this one for the logout request instead.

The 2.12.0 version of the authenticator is now available.

hi,
thank you for reacting so quickly!

with oidc 2.12.0 i currently don’t get any id_token_hint in the logout request. i have since also updated xwiki to 16.7.0

Very strange. I must have made some mistake. It would be very interesting if you could enable debug log so that we have more details on what exactly happen to this token id JWT.

Actually, I think I know what’s wrong, my IDE is playing tricks on me. Fixing something.

2.12.1 should give a less embarrassing result.

1 Like

works perfectly here, thank you very much!

Cool, that’s reassuring :slight_smile: I guess you won’t be the only one happy with that. Thanks for the tests and debugging.

Hi Thomas,
We’ll test it at our STG environment and come back to you with the result.
Thanks for your support.
Martí

We’ve tested your update and it works perfect Thank you so much for you support.