omniauth_openid_connect icon indicating copy to clipboard operation
omniauth_openid_connect copied to clipboard

Published 20 hours ago verified publisher icon omniauth

Add id_token_hint to the post logout redirect uri

Open CSDUMMI opened this issue 2 years ago • 7 comments

The OneLogin IdP requires the id_token_hint field to be set to the previously issued access token in the end session uri to perform a logout and redirect the user to the post logout uri.[^1]

The Keycloak IdP requires the id_token_hint field to be set to avoid a confirmation dialog before redirecting them to the post logout uri.[^2]

This PR adds the id_token_hint to support this behavior by the IdPs. I'm open to only enabling this through an option that is disabled by default.

[^1]: See #140 and https://developers.onelogin.com/openid-connect/api/logout [^2]: See keycloak documentation: https://www.keycloak.org/docs/latest/securing_apps/#logout

CSDUMMI avatar Mar 01 '23 12:03 CSDUMMI

Great work, thank you.

kitebuggy avatar Mar 03 '23 10:03 kitebuggy

The tests fail because access_token is now called by encoded_post_logout_redirect_uri and this function calls client.access_token! if no access token has previously been fetched.

The tests do not mock this function and thus a request to example.com is made - expecting an access token but receiving HTML.

I don't know enough about stubbing in Ruby to stub this particular behavior.

CSDUMMI avatar Mar 08 '23 09:03 CSDUMMI

@stanhu can you review this PR or is there somebody else I can talk to?

CSDUMMI avatar Mar 19 '23 12:03 CSDUMMI

Hello everyone! Will this PR be merged at some point? Thanks for your work.

drjole avatar Nov 16 '23 11:11 drjole