Skip to content

Jto/updates id token hint #3944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Jto/updates id token hint #3944

wants to merge 6 commits into from

Conversation

@jobannon
Copy link
Contributor

@jobannon jobannon commented Oct 3, 2025

No description provided.

@jobannon jobannon requested review from a team as code owners October 3, 2025 23:17
robotdan
robotdan reviewed Oct 22, 2025
View reviewed changes
astro/src/content/docs/release-notes/index.mdx Outdated
Comment on lines 148 to 151
**OAuth Logout Endpoint and the id_token_hint**

Now that we are identifying an `id_token` using the newly added `tty` claim, we are now correctly rejecting an `access_token` when used as the `id_token_hint` parameter (this aligns with the OAuth spec). If you had previously built an integration to send an `access_token` as the `id_token_hint` parameter instead of the `id_token` you will need to correct your integration before upgrading to this version.

Copy link
Member

@robotdan robotdan Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we are identifying an id_token using the newly added tty claim, the OAuth2 Logout endpoint will now correctly reject an access_token when sent as the id_token_hint parameter according to spec. If you have any integrations that are sending an access_token in the id_token_hint parameter instead of the id_token you will need to correct your integration prior to upgrading.

Copy link
Contributor Author

@jobannon jobannon Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, fixed up

robotdan
robotdan reviewed Oct 23, 2025
View reviewed changes
robotdan
robotdan previously approved these changes Oct 23, 2025
View reviewed changes
Copy link
Member

@robotdan robotdan left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I left one more comment for the heading - let's keep that short to match the other headings in this section.

parameter (this aligns with the OAuth spec).

IMO using parens is not great, this feels like an aside. Maybe better to just drop this since we already are saying we are now correctly rejecting this parameter and just say:

when used as the id_token_hint parameter.

And I think it is redundant to say to this version since this is part of the release notes for this version.

your integration before upgrading to this version.

Ensure you have reviewed the copy suggested in these comments:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robotdan robotdan robotdan left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jobannon @robotdan