id_token_hint not re-encrypted at logout

[frank-g-o]

I'm using signed and encrypted ID Tokens. At logout, the id_token is used for the id_token_hint and send from the RP to the OP. The id_token_hint value is identical to the id_token (verified with tracer). The OP fails to decrypt this id_token_hint, since it expects the id_token_hint to be encrypted by the client or to be non-encrypted. When using non-encrypted ID Tokens, logout works. SSO works with both encrypted and non-encrypted ID Tokens. From the specification:

If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.

Using mod_auth_openidc.x86_64 version 2.4.6-1 on RHEL 7.9 with Apache 2.4.6-97.

Does anybody got logout working with encrypted ID Token?

Frank

[zandbelt]

That's an interesting mismatch indeed. I would argue that since the spec has a MAY the OP should be prepared to handle non-encrypted id_token_hint values. Which OP software are you using?

[frank-g-o]

I'm using OpenAM 6.5.3. You can set ID Token encryption on/off, but not for logon and logout separate. So both on or both off.. And BTW, encryption off is a security issue anyways.