I just testet the backchannnel feature of Keycloak (current release, 23.0.3) and observing an issue…
My client is a Quarkus based application with enabled and proper working OIDC configuration. Also the backchannnel path is properly set.
Also the Keycloak client has proper backchannel configuration.
When logging out at Keycloak, Keycloak sends a logout request via the backchannel url to the client. This request contains the logout-token.
The Quarkus application complains as following when receiving the request:
Back channel logout request for the tenant Default received
Verification of the token issued to client shop has failed: No Expiration Time (exp) claim present.
Back channel logout token is invalid
When decoding the sent logout-token, the payload looks like this:
{
"iat": 1703156525,
"jti": "a2836698-7660-44e8-a9f1-d27d8514b311",
"iss": "http://localhost:8080/realms/bookshop",
"aud": "shop",
"sub": "a6df2d13-8e94-404b-addc-53e248afc95c",
"typ": "Logout",
"sid": "2b6eaf9b-990c-4733-a048-b8e8f28612b3",
"events": {
"http://schemas.openid.net/event/backchannel-logout": {}
}
}
Indeed, there’s no exp claim.
But the OIDC Backchannel Spec says, that the logout token MUST have an exp claim.
So, is it just me missing some configuration setting or is this a Keycloak bug?
Does anybody have a proper logout-token containing an exp claim?
Any hints are appreciated!