Hi all, In OIDC logout flow, we send the ID token as a user identification method similar to following request.
https://localhost:9443/oidc/logout?id_token_hint= <id_token>&post_logout_redirect_uri= http://localhost:8080/playground2/oauth2client&state=1 when validating the ID token, we are trying to get tenant domain from subject claim of the id token hint [1] in the default flow. This will only work if '*append tenant domain to subject identifier'* is selected in the SP configuration. In other scenarios it fails with the error "access_denied ID token signature validation failed." This is because if subject does not contain the tenant domain, we try to validate the id token with super tenant's keystore. Further this fails when subject identifier is set as email claim, and email contains a different domain such as sat...@wso2.com <sat...@gmail.com> We have a config to enable/disable signing ID token with SP's keystore identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by default, ID token will be signed and validated using user's tenant domain leading to above issue. As a possible solution, we have decided to include user tenant domain and userstore domain as claims in the id token generated by IS. This can be disabled by a config however in the default pack it will be enabled by default. Sample id token will be as follows. { "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ", "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa", "sub": "sathya", * "realm": { "tenant_domain: "wso2.com <http://wso2.com>", "userstore_domain: "PRIMARY" }*, "iss": "https://localhost:9443/oauth2/token";, "exp": 1554367465, "iat": 1554363865, } Also 'SignJWTWithSPKey' property will be enabled by default in the product, honoring service provider's tenant domain when obtaining keys for signing and validating id tokens. Highly appreciate your suggestions and concerns on this. [1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331 Thanks, Sathya -- Sathya Bandara Senior Software Engineer Blog: https://medium.com/@technospace WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
