OIDC logout: use a fixed post logout redirect uri (#1276)

Co-authored-by: Jonathan Perret <j-github@jonathanperret.net>

app/server/lib/OIDCConfig.ts

@@ -79,6 +79,7 @@ import { SendAppPageFunction } from 'app/server/lib/sendAppPage';
 import { StringUnionError } from 'app/common/StringUnion';
 import { EnabledProtection, EnabledProtectionString, ProtectionsManager } from './oidc/Protections';
 import { SessionObj } from './BrowserSession';
+import { getOriginUrl } from './requestUtils';
 
 const CALLBACK_URL = '/oauth2/callback';
 
@@ -278,18 +279,21 @@ export class OIDCConfig {
     });
   }
 
-  public async getLogoutRedirectUrl(req: express.Request, redirectUrl: URL): Promise<string> {
+  public async getLogoutRedirectUrl(req: express.Request): Promise<string> {
     const session: SessionObj|undefined = (req as RequestWithLogin).session;
+    const stableRedirectUri = new URL('/signed-out', getOriginUrl(req)).href;
     // For IdPs that don't have end_session_endpoint, we just redirect to the logout page.
     if (this._skipEndSessionEndpoint) {
-      return redirectUrl.href;
+      // Ignore redirectUrl because OIDC providers don't allow variable redirect URIs
+      return stableRedirectUri;
     }
     // Alternatively, we could use a logout URL specified by configuration.
     if (this._endSessionEndpoint) {
       return this._endSessionEndpoint;
     }
     return this._client.endSessionUrl({
-      post_logout_redirect_uri: redirectUrl.href,
+      // Ignore redirectUrl because OIDC providers don't allow variable redirect URIs
+      post_logout_redirect_uri: stableRedirectUri,
       id_token_hint: session?.oidc?.idToken,
     });
   }