You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using pyoidc with a BackChannellLogout endpoint, with a keycloak18 server as OP. It does work, but if I enable the "Backchannel Logout Revoke Offline Sessions" in Keycloak I get this sort of Logouttoken:
And this fails verification in oic/oic/message.py as currently the 'events' claim verification is very strict:
# Check the 'events' JSON
_keys = list(self["events"].keys())
if len(_keys) != 1:
raise ValueError('Must only be one member in "events"')
if _keys[0] != BACK_CHANNEL_LOGOUT_EVENT:
raise ValueError('Wrong member in "events"')
if self["events"][_keys[0]] != {}:
raise ValueError('Wrong member value in "events"')
Here we cannot have multiple events, and the 'http://schemas.openid.net/event/backchannel-logout':{} event must be the first one.
Hello,
I'm using pyoidc with a BackChannellLogout endpoint, with a keycloak18 server as OP. It does work, but if I enable the "Backchannel Logout Revoke Offline Sessions" in Keycloak I get this sort of Logouttoken:
And this fails verification in oic/oic/message.py as currently the 'events' claim verification is very strict:
Here we cannot have multiple events, and the
'http://schemas.openid.net/event/backchannel-logout':{}event must be the first one.When checking the RFC at https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken I do not see the 1 event restriction but simply a required verification that this event is present in the list:
The text was updated successfully, but these errors were encountered: