[
https://issues.apache.org/jira/browse/SLING-13099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martin Knyazyan updated SLING-13099:
------------------------------------
Description:
*The Issue:*
When implementing {*}RP-initiated logout{*}, Okta (and similar providers)
requires the {{id_token_hint=<id_token>}} request parameter to successfully
terminate the session on the IDP side.
*Technical Gap:*
Currently, {{org.apache.sling.auth.oauth_client.impl.SlingUserInfoProcessorImpl
is designed to store the access_token and refresh_token }}on the user node.
Since the *ID token* is not persisted, we cannot retrieve it to complete the
logout handshake OOTB.
*Improvement:*
We need a standardized process within the OIDC implementation to store and
access *ID tokens* on the user node, similar to how access and refresh tokens
are handled.
was:
*The Issue:*
When implementing {*}RP-initiated logout{*}, Okta (and similar providers)
requires the {{id_token_hint=<id_token>}} request parameter to successfully
terminate the session on the IDP side.
*Technical Gap:*
Currently, {{org.apache.sling.auth.oauth_client.impl.SlingUserInfoProcessorImpl
}}is only designed to store the {{access_token}} and {{refresh_token}} on the
user node. Since the *ID token* is not persisted, we cannot retrieve it to
complete the logout handshake OOTB.
*Improvement:*
We need a standardized process within the OIDC implementation to store and
access *ID tokens* on the user node, similar to how access and refresh tokens
are handled.
> Adjust org.apache.sling.auth.oauth_client.impl.SlingUserInfoProcessorImpl's
> OSGi config to support storing ID tokens
> --------------------------------------------------------------------------------------------------------------------
>
> Key: SLING-13099
> URL: https://issues.apache.org/jira/browse/SLING-13099
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Martin Knyazyan
> Priority: Minor
>
> *The Issue:*
> When implementing {*}RP-initiated logout{*}, Okta (and similar providers)
> requires the {{id_token_hint=<id_token>}} request parameter to successfully
> terminate the session on the IDP side.
> *Technical Gap:*
> Currently,
> {{org.apache.sling.auth.oauth_client.impl.SlingUserInfoProcessorImpl is
> designed to store the access_token and refresh_token }}on the user node.
> Since the *ID token* is not persisted, we cannot retrieve it to complete the
> logout handshake OOTB.
> *Improvement:*
> We need a standardized process within the OIDC implementation to store and
> access *ID tokens* on the user node, similar to how access and refresh tokens
> are handled.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
