logout: revoke tokens with a configurable JWT auth "aud" value

when revoking tokens at the revocation endpoint (upon logout) with
client_secret_jwt or private_key_jwt, use the revocatoin endpoint as
"aud" value (instead of the token endpoint that was used before), unless
environment variable OIDC_TOKEN_REVOCATION_AUD is set to "token" (or
another literal aud value)

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,9 @@
+09/27/2025
+- logout: when revoking tokens at the revocation endpoint with client_secret_jwt or
+  private_key_jwt, use the revocatoin endpoint as "aud" value (instead of the token endpoint
+  that was used before), unless environment variable OIDC_TOKEN_REVOCATION_AUD is set to
+  "token" (or another literal aud value)
+
 09/13/2025
 - redis: apply global (server-wide) locking when system(!) environment variable
   OIDC_REDIS_MUTEX_GLOBAL is set, for backwards compatibility, through:

src/handle/logout.c

@@ -48,6 +48,8 @@
 
 #define OIDC_DONT_REVOKE_TOKENS_BEFORE_LOGOUT_ENVVAR "OIDC_DONT_REVOKE_TOKENS_BEFORE_LOGOUT"
 
+#define OIDC_TOKEN_REVOCATION_AUD_ENV_VAR "OIDC_TOKEN_REVOCATION_AUD"
+
 /*
  * revoke refresh token and access token stored in the session if the
  * OP has an RFC 7009 compliant token revocation endpoint
@@ -85,7 +87,9 @@ static void oidc_logout_revoke_tokens(request_rec *r, oidc_cfg_t *c, oidc_sessio
 		r, c, oidc_cfg_provider_token_endpoint_auth_get(provider),
 		oidc_cfg_provider_token_endpoint_auth_alg_get(provider), oidc_cfg_provider_client_id_get(provider),
 		oidc_cfg_provider_client_secret_get(provider), oidc_cfg_provider_client_keys_get(provider),
-		oidc_proto_profile_token_endpoint_auth_aud(provider), params, NULL, &basic_auth, &bearer_auth) == FALSE)
+		oidc_proto_profile_revocation_endpoint_auth_aud(
+		    provider, apr_table_get(r->subprocess_env, OIDC_TOKEN_REVOCATION_AUD_ENV_VAR)),
+		params, NULL, &basic_auth, &bearer_auth) == FALSE)
 		goto out;
 
 	token = oidc_session_get_refresh_token(r, session);

src/proto/profile.c

@@ -53,6 +53,25 @@ const char *oidc_proto_profile_token_endpoint_auth_aud(oidc_provider_t *provider
 	return oidc_cfg_provider_token_endpoint_url_get(provider);
 }
 
+/*
+ * returns the "aud" claim to insert into the JWT used for client
+ * authentication towards the revocation endpoint using private_key_jwt/client_secret_jwt
+ */
+const char *oidc_proto_profile_revocation_endpoint_auth_aud(oidc_provider_t *provider, const char *val) {
+	if (oidc_cfg_provider_profile_get(provider) == OIDC_PROFILE_FAPI20) {
+		return oidc_cfg_provider_issuer_get(provider);
+	}
+	const char *aud = oidc_cfg_provider_revocation_endpoint_url_get(provider);
+	if (val != NULL) {
+		if (_oidc_strcmp(val, "token") == 0) {
+			aud = oidc_cfg_provider_token_endpoint_url_get(provider);
+		} else {
+			aud = val;
+		}
+	}
+	return aud;
+}
+
 /*
  * returns the method to be used when sending the authorization request to the Provider
  */

src/proto/proto.h

@@ -124,6 +124,7 @@ typedef json_t oidc_proto_state_t;
 // profile.c
 oidc_auth_request_method_t oidc_proto_profile_auth_request_method_get(oidc_provider_t *provider);
 const char *oidc_proto_profile_token_endpoint_auth_aud(oidc_provider_t *provider);
+const char *oidc_proto_profile_revocation_endpoint_auth_aud(oidc_provider_t *provider, const char *val);
 const apr_array_header_t *oidc_proto_profile_id_token_aud_values_get(apr_pool_t *pool, oidc_provider_t *provider);
 const oidc_proto_pkce_t *oidc_proto_profile_pkce_get(oidc_provider_t *provider);
 oidc_dpop_mode_t oidc_proto_profile_dpop_mode_get(oidc_provider_t *provider);