Stable logout URI when skipEndSessionEndpoint

This commit is contained in:
vviers 2024-10-22 17:31:35 +02:00
parent 6d9f39b5a4
commit 033947ba04
2 changed files with 5 additions and 3 deletions

View File

@ -281,9 +281,11 @@ export class OIDCConfig {
public async getLogoutRedirectUrl(req: express.Request, redirectUrl: URL): Promise<string> {
const session: SessionObj|undefined = (req as RequestWithLogin).session;
const stableRedirectUri = new URL('/signed-out', getOriginUrl(req)).href;
// For IdPs that don't have end_session_endpoint, we just redirect to the logout page.
if (this._skipEndSessionEndpoint) {
return redirectUrl.href;
// Ignore redirectUrl because OIDC providers don't allow variable redirect URIs
return stableRedirectUri;
}
// Alternatively, we could use a logout URL specified by configuration.
if (this._endSessionEndpoint) {
@ -291,7 +293,7 @@ export class OIDCConfig {
}
return this._client.endSessionUrl({
// Ignore redirectUrl because OIDC providers don't allow variable redirect URIs
post_logout_redirect_uri: new URL('/signed-out', getOriginUrl(req)).href,
post_logout_redirect_uri: stableRedirectUri,
id_token_hint: session?.oidc?.idToken,
});
}

View File

@ -768,7 +768,7 @@ describe('OIDCConfig', () => {
env: {
GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: 'true',
},
expectedUrl: REDIRECT_URL.href,
expectedUrl: STABLE_LOGOUT_URL.href,
}, {
itMsg: 'should use the GRIST_OIDC_IDP_END_SESSION_ENDPOINT when it is set',
env: {