Stable logout URI when skipEndSessionEndpoint

app/server/lib/OIDCConfig.ts

@@ -281,9 +281,11 @@ export class OIDCConfig {
 
   public async getLogoutRedirectUrl(req: express.Request, redirectUrl: URL): Promise<string> {
     const session: SessionObj|undefined = (req as RequestWithLogin).session;
+    const stableRedirectUri = new URL('/signed-out', getOriginUrl(req)).href;
     // For IdPs that don't have end_session_endpoint, we just redirect to the logout page.
     if (this._skipEndSessionEndpoint) {
-      return redirectUrl.href;
+      // Ignore redirectUrl because OIDC providers don't allow variable redirect URIs
+      return stableRedirectUri;
     }
     // Alternatively, we could use a logout URL specified by configuration.
     if (this._endSessionEndpoint) {
@@ -291,7 +293,7 @@ export class OIDCConfig {
     }
     return this._client.endSessionUrl({
       // Ignore redirectUrl because OIDC providers don't allow variable redirect URIs
-      post_logout_redirect_uri: new URL('/signed-out', getOriginUrl(req)).href,
+      post_logout_redirect_uri: stableRedirectUri,
       id_token_hint: session?.oidc?.idToken,
     });
   }

test/server/lib/OIDCConfig.ts

@@ -768,7 +768,7 @@ describe('OIDCConfig', () => {
         env: {
           GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: 'true',
         },
-        expectedUrl: REDIRECT_URL.href,
+        expectedUrl: STABLE_LOGOUT_URL.href,
       }, {
         itMsg: 'should use the GRIST_OIDC_IDP_END_SESSION_ENDPOINT when it is set',
         env: {