From 0ab719d640e35f2640a9832ca7d2dbf3bf317664 Mon Sep 17 00:00:00 2001
From: Jonathan Perret <j-github@jonathanperret.net>
Date: Wed, 16 Oct 2024 19:22:23 +0200
Subject: [PATCH] OIDC logout: use a fixed post logout redirect uri

---
 app/server/lib/OIDCConfig.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/server/lib/OIDCConfig.ts b/app/server/lib/OIDCConfig.ts
index 9e500d6c..cac6f537 100644
--- a/app/server/lib/OIDCConfig.ts
+++ b/app/server/lib/OIDCConfig.ts
@@ -79,6 +79,7 @@ import { SendAppPageFunction } from 'app/server/lib/sendAppPage';
 import { StringUnionError } from 'app/common/StringUnion';
 import { EnabledProtection, EnabledProtectionString, ProtectionsManager } from './oidc/Protections';
 import { SessionObj } from './BrowserSession';
+import { getOriginUrl } from './requestUtils';
 
 const CALLBACK_URL = '/oauth2/callback';
 
@@ -289,7 +290,8 @@ export class OIDCConfig {
       return this._endSessionEndpoint;
     }
     return this._client.endSessionUrl({
-      post_logout_redirect_uri: redirectUrl.href,
+      // Ignore redirectUrl because OIDC providers don't allow variable redirect URIs
+      post_logout_redirect_uri: new URL('/signed-out', getOriginUrl(req)).href,
       id_token_hint: session?.oidc?.idToken,
     });
   }