What happened?

When using the oauth2/logout endpoint, you can use a id token hint instead of a client id. As of 1.37, FA should be allowing expired id tokens for the id_token_hint. However as of 1.60 with the JWT changes, an expired id token on the logout url will result in an error screen with this.

{
  "error" : "invalid_request",
  "error_description" : "The token is not suitable for the requested use.",
  "error_reason" : "invalid_id_token_hint"
}

Version

1.60.2

Affects Versions

>= 1.60

Alternatives / Workarounds

Use the client id instead of the id token hint on the oauth2/logout URL.