From 25b7634ef7d594c129fd57fe8844449b4f1a7c6e Mon Sep 17 00:00:00 2001 From: CSDUMMI Date: Thu, 23 Feb 2023 14:45:35 +0100 Subject: [PATCH] Add id_token_hint to the post logout redirect uri, to facilitate the direct redirect (without confirmation) with some IdP sofware (keycloak) --- lib/omniauth/strategies/openid_connect.rb | 3 ++- test/lib/omniauth/strategies/openid_connect_test.rb | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb index 1f164e8b..c7e0072a 100644 --- a/lib/omniauth/strategies/openid_connect.rb +++ b/lib/omniauth/strategies/openid_connect.rb @@ -424,7 +424,8 @@ def encoded_post_logout_redirect_uri return unless options.post_logout_redirect_uri URI.encode_www_form( - post_logout_redirect_uri: options.post_logout_redirect_uri + post_logout_redirect_uri: options.post_logout_redirect_uri, + id_token_hint: access_token.id_token ) end diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb index 2b40b09e..32918401 100644 --- a/test/lib/omniauth/strategies/openid_connect_test.rb +++ b/test/lib/omniauth/strategies/openid_connect_test.rb @@ -45,10 +45,13 @@ def test_logout_phase_with_discovery end def test_logout_phase_with_discovery_and_post_logout_redirect_uri - expected_redirect = 'https://example.com/logout?post_logout_redirect_uri=https%3A%2F%2Fmysite.com' + access_token = stub('OpenIDConnect::AccessToken') + access_token.stubs(:id_token).returns(jwt.to_s) + expected_redirect = "https://example.com/logout?post_logout_redirect_uri=https%3A%2F%2Fmysite.com&id_token_hint=#{access_token.id_token}" strategy.options.client_options.host = 'example.com' strategy.options.discovery = true strategy.options.post_logout_redirect_uri = 'https://mysite.com' + strategy.stubs(:access_token).returns(access_token) issuer = stub('OpenIDConnect::Discovery::Issuer') issuer.stubs(:issuer).returns('https://example.com/')