Add id_token_hint to the post logout redirect uri

[CSDUMMI]

The OneLogin IdP requires the id_token_hint field to be set to the previously issued access token in the end session uri to perform a logout and redirect the user to the post logout uri.¹

The Keycloak IdP requires the id_token_hint field to be set to avoid a confirmation dialog before redirecting them to the post logout uri.²

This PR adds the id_token_hint to support this behavior by the IdPs. I'm open to only enabling this through an option that is disabled by default.

Footnotes

1. See OneLogin OIDC post_logout_redirect_uri issue #140 and https://developers.onelogin.com/openid-connect/api/logout ↩

2. See keycloak documentation: https://www.keycloak.org/docs/latest/securing_apps/#logout ↩

[kitebuggy]

Great work, thank you.

[CSDUMMI]

The tests fail because access_token is now called by encoded_post_logout_redirect_uri and this function calls client.access_token! if no access token has previously been fetched.

The tests do not mock this function and thus a request to example.com is made - expecting an access token but receiving HTML.

I don't know enough about stubbing in Ruby to stub this particular behavior.

[CSDUMMI]

@stanhu can you review this PR or is there somebody else I can talk to?

[stanhu]

Should this value be blank? Should the key be omitted entirely if there is no token?

[grega]

I suspect this needs two tests:

• one with an ID token present (such as this) where the redirect URL should contain the id_token_hint param with a value of <id-token>
• one where the ID token is not present and the redirect URL does not contain the id_token_hint param

[CSDUMMI]

I'm not sure whether it's worth the extra effort to create a test case for the second case.

[grega]

Suggested change

	expected_redirect = 'https://example.com/logout?post_logout_redirect_uri=https%3A%2F%2Fmysite.com&id_token_hint'
	access_token = stub('OpenIDConnect::AccessToken')
	access_token.stubs(:id_token).returns(jwt.to_s)
	expected_redirect = "https://example.com/logout?post_logout_redirect_uri=https%3A%2F%2Fmysite.com&id_token_hint=#{access_token.id_token}"

[CSDUMMI]

Thanks for your suggestion. I applied them and the case passed.

[drjole]

Hello everyone! Will this PR be merged at some point? Thanks for your work.

[evgenyneu]

I would like this to be merged. Are there any concerns with this code? Need any help?

[coberlin]

I also need to send id_token_hint, but this solution doesn't work for my client. I'm using authorization_code flow and the call to access_token fails with "invalid grant" because this flow requires that I send the authorization_code, which is supplied by params['code'] but that is not passed in the logout uri. I could send this code as a parameter, but that seems like overkill to require a fetch of the access_token just to allow logout. My application keeps track of the id_token, and I'd rather pass it as a parameter to the logout uri directly. I have a PR for this.

[evgenyneu]

I found out that even if this gets merged, I still can't use it with Amazon Cognito because they're not compliant with the OpenID Connect logout specification. Cognito uses different URL parameters (client_id and logout_uri), see their documentation. Just a heads up! 😄

[rgisiger]

I also need to send id_token_hint, but this solution doesn't work for my client. I'm using authorization_code flow and the call to access_token fails with "invalid grant" because this flow requires that I send the authorization_code, which is supplied by params['code'] but that is not passed in the logout uri. I could send this code as a parameter, but that seems like overkill to require a fetch of the access_token just to allow logout. My application keeps track of the id_token, and I'd rather pass it as a parameter to the logout uri directly. I have a PR for this.

I have the same issue @coberlin, and I will also pass the id_token from my session (stored server side) as a parameter so I have created #207 for that and also to allow other parameters as the OpenID specs mention them. Without forgetting cases like Amazon Cognito mentionned by @evgenyneu.