Hi,
We have already set-up and wxiki instance using OpenID Connect as the authentication method. It works fine for login and for getting userInfo, but when we trying to do logout we get the following message:
hi,
this fails on our installation where keycloak is used to authenticate xwiki users. on logout keycloak says “invalid parameter id_token_hint” and the logout doesn’t happen.
if i understand it correctly, the problem seems to be that keycloak expects an id token with a correct signature (probably even requiring the key to be signed by the keycloak instance itself). the id token passed from xwiki to keycloak has "alg": "none" in the headers. i think the original id token needs to be stored and passed back to keycloak during logout.
tested with xwiki 15.10.4 and openid connect authenticator 2.11.2
It’s the case, but indeed it’s the clear version which is kept and not the signed/encrypted one. I will store the real original one as is too and use this one for the logout request instead.
Very strange. I must have made some mistake. It would be very interesting if you could enable debug log so that we have more details on what exactly happen to this token id JWT.