Backchannel logout - token validators do not include LogoutTokenValidator - type logout+jwt gets rejected
17 views
Skip to first unread message
Anna Weber
Oct 23, 2025, 5:46:34 AMOct 23
to Pac4j development mailing list
Hi,
when setting up our application with OidcConfiguration etc. (Pac4j 6.2.2) and want to perform backchannel logout via the IdP, we get the following exception upon receiving the logout token:
ERROR o.p.o.c.e.OidcCredentialsExtractor [ ] Cannot validate JWT logout token | (OidcCredentialsExtractor.java:101)
com.nimbusds.jose.proc.BadJOSEException: JOSE header typ (type) logout+jwt not allowed
at com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier.verify(DefaultJOSEObjectTypeVerifier.java:148)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:378)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
at org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:144)
at org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.extract(OidcCredentialsExtractor.java:78)
at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:80)
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:81)
at org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:63)
at com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier.verify(DefaultJOSEObjectTypeVerifier.java:148)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:378)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
at org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:144)
at org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.extract(OidcCredentialsExtractor.java:78)
at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:80)
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:81)
at org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:63)
logout+jwt is defined in com.nimbusds.openid.connect.sdk.validators.LogoutTokenValidator
Thus, this validator should be included, and we cannot rely on IDTokenValidators for the logout token case.
Thus, this validator should be included, and we cannot rely on IDTokenValidators for the logout token case.
If the maintainers agree regarding this assessment I can create a PR and suggest a fix.
Thanks,
Anna
Jérôme LELEU
Oct 23, 2025, 5:50:28 AMOct 23
to Anna Weber, Pac4j development mailing list
Hi,
It makes sense. Feel free to subit a PR.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/3d308a36-3f83-454d-9721-284b1617f624n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages