LogoutToken Verify block multiple events messages #887
Description
Hello,
I'm using pyoidc with a BackChannellLogout endpoint, with a keycloak18 server as OP. It does work, but if I enable the "Backchannel Logout Revoke Offline Sessions" in Keycloak I get this sort of Logouttoken:
(...)
'events': {
'http://schemas.openid.net/event/backchannel-logout': {},
'revoke_offline_access': True
},
(...)
And this fails verification in oic/oic/message.py as currently the 'events' claim verification is very strict:
# Check the 'events' JSON
_keys = list(self["events"].keys())
if len(_keys) != 1:
raise ValueError('Must only be one member in "events"')
if _keys[0] != BACK_CHANNEL_LOGOUT_EVENT:
raise ValueError('Wrong member in "events"')
if self["events"][_keys[0]] != {}:
raise ValueError('Wrong member value in "events"')
Here we cannot have multiple events, and the 'http://schemas.openid.net/event/backchannel-logout':{} event must be the first one.
When checking the RFC at https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken I do not see the 1 event restriction but simply a required verification that this event is present in the list:
- Verify that the Logout Token contains an events Claim whose value is JSON object containing the member name http://schemas.openid.net/event/backchannel-logout.