fix: Add id_token_hint on logout

frederikprijck · frederikprijck · commit d09757d1a361 · 2025-04-07T10:22:07.000+02:00
diff --git a/src/server/auth-client.test.ts b/src/server/auth-client.test.ts
@@ -18,6 +18,7 @@ describe("Authentication Client", async () => {
     clientSecret: "client-secret",
     appBaseUrl: "https://example.com",
     sid: "auth0-sid",
+    idToken: "idt_123",
     accessToken: "at_123",
     refreshToken: "rt_123",
     sub: "user_123",
@@ -1827,6 +1828,7 @@ ca/T0LLtgmbMmxSv/MmzIg==
       const session: SessionData = {
         user: { sub: DEFAULT.sub },
         tokenSet: {
+          idToken: DEFAULT.idToken,
           accessToken: DEFAULT.accessToken,
           refreshToken: DEFAULT.refreshToken,
           expiresAt: 123456
@@ -1864,6 +1866,9 @@ ca/T0LLtgmbMmxSv/MmzIg==
       expect(authorizationUrl.searchParams.get("logout_hint")).toEqual(
         DEFAULT.sid
       );
+      expect(authorizationUrl.searchParams.get("id_token_hint")).toEqual(
+        DEFAULT.idToken
+      );
 
       // session cookie is cleared
       const cookie = response.cookies.get("__session");
@@ -1941,6 +1946,43 @@ ca/T0LLtgmbMmxSv/MmzIg==
       expect(cookie?.expires).toEqual(new Date("1970-01-01T00:00:00.000Z"));
     });
 
+    it("should not include the id_token_hint parameter if a session does not exist", async () => {
+      const secret = await generateSecret(32);
+      const transactionStore = new TransactionStore({
+        secret
+      });
+      const sessionStore = new StatelessSessionStore({
+        secret
+      });
+      const authClient = new AuthClient({
+        transactionStore,
+        sessionStore,
+
+        domain: DEFAULT.domain,
+        clientId: DEFAULT.clientId,
+        clientSecret: DEFAULT.clientSecret,
+
+        secret,
+        appBaseUrl: DEFAULT.appBaseUrl,
+
+        fetch: getMockAuthorizationServer()
+      });
+
+      const request = new NextRequest(
+        new URL("/auth/logout", DEFAULT.appBaseUrl),
+        {
+          method: "GET"
+        }
+      );
+
+      const response = await authClient.handleLogout(request);
+      expect(response.status).toEqual(307);
+      expect(response.headers.get("Location")).not.toBeNull();
+
+      const authorizationUrl = new URL(response.headers.get("Location")!);
+      expect(authorizationUrl.searchParams.get("id_token_hint")).toBeNull();
+    });
+
     it("should not include the logout_hint parameter if a session does not exist", async () => {
       const secret = await generateSecret(32);
       const transactionStore = new TransactionStore({
diff --git a/src/server/auth-client.ts b/src/server/auth-client.ts
@@ -432,6 +432,10 @@ export class AuthClient {
       url.searchParams.set("logout_hint", session.internal.sid);
     }
 
+    if (session?.tokenSet.idToken) {
+      url.searchParams.set("id_token_hint", session?.tokenSet.idToken);
+    }
+
     const res = NextResponse.redirect(url);
     await this.sessionStore.delete(req.cookies, res.cookies);
 

Original file line number	Diff line number	Diff line change
`@@ -432,6 +432,10 @@ export class AuthClient {`
`432`	`432`	`url.searchParams.set("logout_hint", session.internal.sid);`
`433`	`433`	`}`
`434`	`434`
	`435`	`+ if (session?.tokenSet.idToken) {`
	`436`	`+ url.searchParams.set("id_token_hint", session?.tokenSet.idToken);`
	`437`	`+ }`
	`438`	`+`
`435`	`439`	`const res = NextResponse.redirect(url);`
`436`	`440`	`await this.sessionStore.delete(req.cookies, res.cookies);`
`437`	`441`