8000 Backchannel logout token with an unexpected signature algorithm key · Issue #40984 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Backchannel logout token with an unexpected signature algorithm key #40984
New issue
New issue
Open
Open
Backchannel logout token with an unexpected signature algorithm key#40984
Assignees
rmartinc
Labels
area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugpriority/normalteam/core-clients
@jredantas

Description

@jredantas
jredantas
opened on Jul 7, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

I am encountering an unexpected behavior during the single sign out implementation, related to the signature encryption algorithm for the backchannel logout token. All backchannel logout tokens are encrypted using the algorithm key from the last client that requested a token from the server, for all clients in the same session.

That is, consider there are two clients, A - ES256 signature key, and B - RS256 signature key, authenticated in the same user session. If last request to the server comes from client B, then both, client A and client B receives a backchannel logout token encrypted using the algorithm key RS256.

The issue is that not all clients are able to implement both algorithms, producing errors for some clients in the same user session, when they get a token with an unexpected algorithm key.

Version

26.1.5

Regression

  • The issue is a regression

Expected behavior

For this use case, Keycloak should be able to send a backchannel logout token for each client, encrypted with their corresponding algorithm key.

When a single sign out logout is started, each client should receive a backchannel logout token encrypted using a signature algorithm corresponding to their own configuration. Client A receives a token encrypted with a ES256 algorithm, while client B receives a token encrypted with a RS256 algorithm.

Actual behavior

When a single sign out logout is started, both clients receive a backchannel logout token encrypted using the signature algorithm corresponding to last client that called the server. Client A and client B receives a token encrypted with a RS256 algorithm, or both clients receives a token encrypted with a ES256 algorithm.

How to Reproduce?

Keycloak configuration:

  • Configure one client A with "Access token signature algorithm" as ES256;
  • Configure one client B with "Access token signature algorithm" as RS256;
  • Realm default signature algorithm is RS256.

Execution flow:

  • Authenticate in the client A application;
  • Open client B application, using a single sign on implementation;
  • Refresh client A application page;
  • Disconnect from client A application;
  • Check the backchannel logout token.

When the user disconnects from client A (ES256), both clients get a backchannel logout token using a signature algorithm ES256, as follow:

Token client A:

{
"alg": "ES256",
"typ": "logout+jwt",
"kid": "9lf4bogHZdRuyGNOYucQhQ-ODIlE2-qBUTSYc8_wUFE"
}

eyJhbGciOiJFUzI1NiIsInR5cCIgOiAibG9nb3V0K2p3dCIsImtpZCIgOiAiOWxmNGJvZ0haZFJ1eUdOT1l1Y1FoUS1PRElsRTItcUJVVFNZYzhfd1VGRSJ9.eyJleHAiOjE3NTE5MTAzMTYsImlhdCI6MTc1MTkxMDE5NiwianRpIjoiMDRkNGNmZGItMjU0Ny00YmNhLTk5M2YtNTQyOTBiMTQ3ZWExIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9zcWluIiwiYXVkIjoicGVzLWYiLCJzdWIiOiIzNjYxNWQ3MC1hMjcwLTQ4M2UtOGJhOS02YzNiOGVkYTQ2NGEiLCJ0eXAiOiJMb2dvdXQiLCJzaWQiOiJmNDFmZmZmYS1hMDI2LTRmMGMtYTc3MS1kZGEzYWI0ZWY3OGUiLCJldmVudHMiOnsiaHR0cDovL3NjaGVtYXMub3BlbmlkLm5ldC9ldmVudC9iYWNrY2hhbm5lbC1sb2dvdXQiOnt9fX0.9cf2AwqZdehLDkWO3nVRgmSa-k_NNgGnUg_cGl1ZjbOz3qOj5Dn1YsZze0yb1sBT27ziPSScNRmdl6KTzkh0hg

Token client B:

{
"alg": "ES256",
"typ": "logout+jwt",
"kid": "9lf4bogHZdRuyGNOYucQhQ-ODIlE2-qBUTSYc8_wUFE"
}

eyJhbGciOiJFUzI1NiIsInR5cCIgOiAibG9nb3V0K2p3dCIsImtpZCIgOiAiOWxmNGJvZ0haZFJ1eUdOT1l1Y1FoUS1PRElsRTItcUJVVFNZYzhfd1VGRSJ9.eyJleHAiOjE3NTE5MTAzMTYsImlhdCI6MTc1MTkxMDE5NiwianRpIjoiNDg0YWZlZjEtMjllYy00NWY3LWFmMzEtOWU4ZGNhZTc3MDk1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9zcWluIiwiYXVkIjoicGVzLWciLCJzdWIiOiIzNjYxNWQ3MC1hMjcwLTQ4M2UtOGJhOS02YzNiOGVkYTQ2NGEiLCJ0eXAiOiJMb2dvdXQiLCJzaWQiOiJmNDFmZmZmYS1hMDI2LTRmMGMtYTc3MS1kZGEzYWI0ZWY3OGUiLCJldmVudHMiOnsiaHR0cDovL3NjaGVtYXMub3BlbmlkLm5ldC9ldmVudC9iYWNrY2hhbm5lbC1sb2dvdXQiOnt9fX0.ITWuqMeGaMDouJ8nAIcoWVbL1FEPEZ-qf-hkVo-2mcEqwUqyplyPZg-QYk205_wuhiJiHD9cTF-iyIjfs1ifYQ

On the other hand, when the user refreshs the page and disconnects from client B (RS256), both clients get a backchannel logout token using a signature algorithm RS256, as follow:

Token client A:

{
"alg": "RS256",
"typ": "logout+jwt",
"kid": "RfBySy3U9KtGUABmzJSlGbqwFYdeqHnrt-nJG5A83SU"
}

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAibG9nb3V0K2p3dCIsImtpZCIgOiAiUmZCeVN5M1U5S3RHVUFCbXpKU2xHYnF3RllkZXFIbnJ0LW5KRzVBODNTVSJ9.eyJleHAiOjE3NTE5MTU2NTYsImlhdCI6MTc1MTkxNTUzNiwianRpIjoiZjEwNDViOWItZWY1My00ZTFmLTk3YTQtYWQyMzBkNzQ4OTllIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9zcWluIiwiYXVkIjoicGVzLWYiLCJzdWIiOiIzNjYxNWQ3MC1hMjcwLTQ4M2UtOGJhOS02YzNiOGVkYTQ2NGEiLCJ0eXAiOiJMb2dvdXQiLCJzaWQiOiI1NWM1YjA2MS01YTA3LTQzNDYtYmM3Ny0yOTM3ZmEwNDRiOWIiLCJldmVudHMiOnsiaHR0cDovL3NjaGVtYXMub3BlbmlkLm5ldC9ldmVudC9iYWNrY2hhbm5lbC1sb2dvdXQiOnt9fX0.CxdRQcsIRNAKz_ZfwwU9X85eySDU-KBHF1MIgBkmF_3KB-WLoLZBiRPzq8sqHTGM6WfVCcjn_bVd0mJ6ToMlmw3Pr0m4Ye_SM2rvGzOtex1W3FitVlGg3P_FF-Z8tr11ICc_-yZLQUyhgl7Z_i_vVV0mCoGKak5mQ3gB1PyT_eghdvJ8L6it9YNia401OvDpgalmGYeCs0ISy-FVgOTCniZXPTbA3GmflfjTFz0-kjAZy-wvy2u022GSYIt0NxBH3Ym5I-A-ADQ7iqfWacUBu4We8fC0_r1CeMWNC1mdUlYi3VhsL4QcE4sEOaNdH7upbhcm5Dv6mK8ZsZtieKTRLrnTZ27_jArR9uM1_oBygYdJvM1Tkvh_ivn2fX3SPhUM6JGUn8NAIKbc9QOg4Gmih2GCbmOP2geuchm0W4Zhu_GWTie-0Q2Wy2J3g8YRsa8uneT7bLkh_uq60EZFe0TmW1fBfh0uqzB6uYoRWSxix0ZHBSnYjMd710scgOquovg9VHDHwpTvrRyJMge-PV5B9TObhht3JJ6Ygd3C6Kz_4ZnS7F_Xr9zSbZUs4-U2Hc8HjQ3HIiG0VvbeCwuwseU55rwQ0hX13D-_TWzLINNJN57DRcOU3XjS1n-hlpelNo74cWgMfklnFcAa4FbXD_ilydmij3Y4aAFiQ4R_cy2gZAc

Token client B:

{
"alg": "RS256",
"typ": "logout+jwt",
"kid": "RfBySy3U9KtGUABmzJSlGbqwFYdeqHnrt-nJG5A83SU"
}

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAibG9nb3V0K2p3dCIsImtpZCIgOiAiUmZCeVN5M1U5S3RHVUFCbXpKU2xHYnF3RllkZXFIbnJ0LW5KRzVBODNTVSJ9.eyJleHAiOjE3NTE5MTU2NTYsImlhdCI6MTc1MTkxNTUzNiwianRpIjoiODg3OWQ0ZDgtMGEzMi00YTMxLWI2MWMtY2NkMzFiYzBlOWM2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9zcWluIiwiYXVkIjoicGVzLWciLCJzdWIiOiIzNjYxNWQ3MC1hMjcwLTQ4M2UtOGJhOS02YzNiOGVkYTQ2NGEiLCJ0eXAiOiJMb2dvdXQiLCJzaWQiOiI1NWM1YjA2MS01YTA3LTQzNDYtYmM3Ny0yOTM3ZmEwNDRiOWIiLCJldmVudHMiOnsiaHR0cDovL3NjaGVtYXMub3BlbmlkLm5ldC9ldmVudC9iYWNrY2hhbm5lbC1sb2dvdXQiOnt9fX0.gxDrRnrXPHBlHGadKj9QbZqrr4JUiGGpFqHwOBJUK_uEGsiQiCIt0SjWZLCf0qs-B74cayv-PW8QYTIYoC3EjkdkfsKJ8G8F_FugWWgw3Rp0mWLa0myNRs3r4z5_xm8K_NFvbO4utBoJW23SAOYbsYT7Sg3E1oqKULFKp9B-LF5fdTlI_5JaNwJCAOBddbimNniKGJE5u_Wd3_XUuYvAR9Nf_iAmd5Mk2Op46wMKFVUlLl-l43JfRh-flBAZDST3khVQ0A8Zi9PCYw3PpMtwMKhEw-2fiD9riJ54R9Tx4u6g1gIayFxrsbVm_iOV1IRHPlP_JTMZta7lMDvgFQqW48AlBHvL3hyqZmH3lty0hmT0zLo77_lIC6nQGRTl6N8WMleEWGItYPQU8TFaifn7KbO17OTWl_NGnouYSUkCFn7qNpvYchVZIzEZotd17KdSwI7epSU2pNNdEqRdTNusY-4ugvD-ysBIEah8QkFqJo2ip_PU7YsCAUeilmZ-ocm-3XBeNAIu-CQepZAbEsdVxw30C_CgtFdGnkxoHrgLtqEAw3RUvW2p0F7ZFXv1n_70DSQxn48gYYb-p4ZkZj-5SZA3bn7wbWqyqRoRIVzniXdyC6uzEt237FTYn_BM6LwUOB13K5rfgKxVbn2LlXb0ZApLOXpVKhy23UkqQCWEp9g

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugpriority/normalteam/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0