How to provide support for OpenID Connect 1.0 RP-Initiated Logout without mandating id_token_hint in Spring Authorization Server?

Question

I'm developing an Identity and Access Management (IAM) system based on the Spring Authorization Server libraries. Among its functionalities is logout, which adheres to the OpenID Connect 1.0 RP-Initiated Logout specification. However, the implementation in Spring Authorization Libraries requires the id_token_hint parameter, even though it's only recommended by the OIDC specification. I'm looking for advice on gracefully handling logout without enforcing this parameter, ensuring compatibility with various OIDC clients.

I haven't attempted any specific implementation yet, but I'm aware that I can override the OidcLogoutAuthenticationConverter class and implement custom authentication logic similar to the OidcLogoutAuthenticationProvider. I expect that by doing so, I can customize the logout process to remove the mandate for the id_token_hint parameter. Ideally, this would allow for graceful handling of logout requests without requiring the id_token_hint, ensuring compatibility with diverse OIDC clients. However, before proceeding with this approach, I want to inquire about the preferred or recommended approach within the Spring community for handling this scenario.

Answer 1

However, the implementation in Spring Authorization Libraries requires the id_token_hint parameter, even though it's only recommended by the OIDC specification.

The id_token_hint parameter is required by Spring Authorization Server because the support is built by first looking up the id_token (as can be seen here). This is because authentication and session management are separate concerns and not directly managed by the framework. Authentication is handled by Spring Security and session management by Spring Session (and/or the servlet container). As far as I know, all of these concerns would need to be fully aware of each other and directly tied together to remove the need for the id_token_hint parameter.

I'm looking for advice on gracefully handling logout without enforcing this parameter, ensuring compatibility with various OIDC clients.

Based on the above, I think this would need to be a custom implementation of both the AuthenticationConverter and AuthenticationProvider for RP-Initiated Logout in addition to session-related customization. Such support might be possible but could be quite challenging. I don't have specific recommendations for it as it would be fairly involved.

However, before proceeding with this approach, I want to inquire about the preferred or recommended approach within the Spring community for handling this scenario.

Since both Spring Security's client-side support and Spring Authorization Server's server-side support utilize the id_token_hint, I think the recommendation is clear that it should be used and not removed. This is further reinforced by the fact that it is "RECOMMENDED" by the specification. Hopefully this answers your question.