From 033947ba04d1f1f447893c37850b2e0f7a6dce2c Mon Sep 17 00:00:00 2001 From: vviers Date: Tue, 22 Oct 2024 17:31:35 +0200 Subject: [PATCH] Stable logout URI when skipEndSessionEndpoint --- app/server/lib/OIDCConfig.ts | 6 ++++-- test/server/lib/OIDCConfig.ts | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/app/server/lib/OIDCConfig.ts b/app/server/lib/OIDCConfig.ts index cac6f537..31180ca6 100644 --- a/app/server/lib/OIDCConfig.ts +++ b/app/server/lib/OIDCConfig.ts @@ -281,9 +281,11 @@ export class OIDCConfig { public async getLogoutRedirectUrl(req: express.Request, redirectUrl: URL): Promise { const session: SessionObj|undefined = (req as RequestWithLogin).session; + const stableRedirectUri = new URL('/signed-out', getOriginUrl(req)).href; // For IdPs that don't have end_session_endpoint, we just redirect to the logout page. if (this._skipEndSessionEndpoint) { - return redirectUrl.href; + // Ignore redirectUrl because OIDC providers don't allow variable redirect URIs + return stableRedirectUri; } // Alternatively, we could use a logout URL specified by configuration. if (this._endSessionEndpoint) { @@ -291,7 +293,7 @@ export class OIDCConfig { } return this._client.endSessionUrl({ // Ignore redirectUrl because OIDC providers don't allow variable redirect URIs - post_logout_redirect_uri: new URL('/signed-out', getOriginUrl(req)).href, + post_logout_redirect_uri: stableRedirectUri, id_token_hint: session?.oidc?.idToken, }); } diff --git a/test/server/lib/OIDCConfig.ts b/test/server/lib/OIDCConfig.ts index 1b423249..099c0950 100644 --- a/test/server/lib/OIDCConfig.ts +++ b/test/server/lib/OIDCConfig.ts @@ -768,7 +768,7 @@ describe('OIDCConfig', () => { env: { GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: 'true', }, - expectedUrl: REDIRECT_URL.href, + expectedUrl: STABLE_LOGOUT_URL.href, }, { itMsg: 'should use the GRIST_OIDC_IDP_END_SESSION_ENDPOINT when it is set', env: {