feature: add flag omitIdTokenHintOnLogout in OIDC config (#3711)

* feature: add flag omitIdTokenHintOnLogout in OIDC config

Omit id_token_hint if omitIdTokenHintOnLogout: true
Default is false and adds the id_token_hint during logout

* Update server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthLogoutSuccessHandler.java

ok, good to know

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* let copilot fix itself and generate tests.

it is scary, but the inital code was generated by copilot, then review done
and improved, but all from copilot

* fix sonar

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: strehle

model/src/main/java/org/cloudfoundry/identity/uaa/provider/OIDCIdentityProviderDefinition.java

@@ -36,6 +36,8 @@ public class OIDCIdentityProviderDefinition extends AbstractExternalOAuthIdentit
     private boolean setForwardHeader;
     // Enable JWT Bearer Token Exchange Grant flow for this identity provider.
     private Boolean tokenExchangeEnabled;
+    // Omit id_token_hint parameter in logout requests to this identity provider.
+    private Boolean omitIdTokenHintOnLogout;
     @JsonInclude(JsonInclude.Include.NON_NULL)
     private List<Prompt> prompts;
     // Enables private_key_jwt towards identity provider.
@@ -104,6 +106,14 @@ public void setTokenExchangeEnabled(Boolean tokenExchangeEnabled) {
         this.tokenExchangeEnabled = tokenExchangeEnabled;
     }
 
+    public Boolean isOmitIdTokenHintOnLogout() {
+        return omitIdTokenHintOnLogout;
+    }
+
+    public void setOmitIdTokenHintOnLogout(Boolean omitIdTokenHintOnLogout) {
+        this.omitIdTokenHintOnLogout = omitIdTokenHintOnLogout;
+    }
+
     @Override
     public Object clone() throws CloneNotSupportedException {
         return super.clone();
@@ -129,6 +139,9 @@ public boolean equals(Object o) {
         if (this.setForwardHeader != that.setForwardHeader) {
             return false;
         }
+        if (!Objects.equals(this.omitIdTokenHintOnLogout, that.omitIdTokenHintOnLogout)) {
+            return false;
+        }
         if (!Objects.equals(this.jwtClientAuthentication, that.jwtClientAuthentication)) {
             return false;
         }
@@ -148,9 +161,25 @@ public int hashCode() {
         result = 31 * result + (discoveryUrl != null ? discoveryUrl.hashCode() : 0);
         result = 31 * result + (passwordGrantEnabled ? 1 : 0);
         result = 31 * result + (setForwardHeader ? 1 : 0);
+        result = 31 * result + (omitIdTokenHintOnLogout != null ? omitIdTokenHintOnLogout.hashCode() : 0);
         result = 31 * result + (jwtClientAuthentication != null ? jwtClientAuthentication.hashCode() : 0);
         result = 31 * result + (additionalAuthzParameters != null ? additionalAuthzParameters.hashCode() : 0);
         result = 31 * result + (tokenExchangeEnabled != null ? tokenExchangeEnabled.hashCode() : 0);
         return result;
     }
+
+    @Override
+    public String toString() {
+        return "OIDCIdentityProviderDefinition{" +
+                "discoveryUrl=" + discoveryUrl +
+                ", passwordGrantEnabled=" + passwordGrantEnabled +
+                ", setForwardHeader=" + setForwardHeader +
+                ", tokenExchangeEnabled=" + tokenExchangeEnabled +
+                ", omitIdTokenHintOnLogout=" + omitIdTokenHintOnLogout +
+                ", prompts=" + prompts +
+                ", jwtClientAuthentication=" + jwtClientAuthentication +
+                ", additionalAuthzParameters=" + additionalAuthzParameters +
+                ", parent=" + super.toString() +
+                '}';
+    }
 }

model/src/test/java/org/cloudfoundry/identity/uaa/provider/OIDCIdentityProviderDefinitionTests.java

@@ -73,6 +73,7 @@ void equalsTests() throws CloneNotSupportedException {
         OIDCIdentityProviderDefinition original = JsonUtils.readValue(defaultJson, OIDCIdentityProviderDefinition.class);
         OIDCIdentityProviderDefinition compare = (OIDCIdentityProviderDefinition) original.clone();
         compare.setTokenExchangeEnabled(false);
+        compare.setOmitIdTokenHintOnLogout(false);
         assertThat(original).isNotEqualTo(compare);
     }
 
@@ -88,4 +89,60 @@ void serialize_jwtClientAuthentication() {
         assertThat(def.getJwtClientAuthentication()).isEqualTo(settings);
         assertThat(def.getAuthMethod()).isNull();
     }
+
+    @Test
+    void testToString() throws MalformedURLException {
+        OIDCIdentityProviderDefinition def = new OIDCIdentityProviderDefinition();
+        def.setDiscoveryUrl(URI.create(url).toURL());
+        def.setPasswordGrantEnabled(true);
+        def.setSetForwardHeader(true);
+        def.setTokenExchangeEnabled(true);
+        def.setOmitIdTokenHintOnLogout(true);
+
+        List<Prompt> prompts = Arrays.asList(
+            new Prompt("username", "text", "Email"),
+            new Prompt("password", "password", "Password")
+        );
+        def.setPrompts(prompts);
+
+        Map<String, String> jwtSettings = new HashMap<>();
+        jwtSettings.put("iss", "issuer");
+        def.setJwtClientAuthentication(jwtSettings);
+
+        Map<String, String> authzParams = new HashMap<>();
+        authzParams.put("token_format", "jwt");
+        def.setAdditionalAuthzParameters(authzParams);
+
+        String result = def.toString();
+
+        // Verify all attributes are present in toString output
+        assertThat(result).contains("OIDCIdentityProviderDefinition{")
+        .contains("discoveryUrl=" + def.getDiscoveryUrl())
+        .contains("passwordGrantEnabled=true")
+        .contains("setForwardHeader=true")
+        .contains("tokenExchangeEnabled=true")
+        .contains("omitIdTokenHintOnLogout=true")
+        .contains("prompts=")
+        .contains("jwtClientAuthentication=")
+        .contains("additionalAuthzParameters=")
+        .contains("parent=");
+    }
+
+    @Test
+    void testToStringWithNullValues() {
+        OIDCIdentityProviderDefinition def = new OIDCIdentityProviderDefinition();
+
+        String result = def.toString();
+
+        // Verify toString works with null values
+        assertThat(result).contains("OIDCIdentityProviderDefinition{")
+        .contains("discoveryUrl=null")
+        .contains("passwordGrantEnabled=false")
+        .contains("setForwardHeader=false")
+        .contains("tokenExchangeEnabled=null")
+        .contains("omitIdTokenHintOnLogout=null")
+        .contains("prompts=null")
+        .contains("jwtClientAuthentication=null")
+        .contains("additionalAuthzParameters=null");
+    }
 }

server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthLogoutSuccessHandler.java

@@ -71,7 +71,10 @@ public String constructOAuthProviderLogoutUrl(final HttpServletRequest request,
         final String oauthLogoutUri = URLEncoder.encode(oauthLogoutUriBuilder.toString(), StandardCharsets.UTF_8);
 
         String idTokenHint = "";
-        if (authentication instanceof UaaAuthentication uaaAuthentication && uaaAuthentication.getIdpIdToken() != null) {
+        boolean omitIdTokenHint = oauthConfig instanceof OIDCIdentityProviderDefinition oidcConfig
+            && Boolean.TRUE.equals(oidcConfig.isOmitIdTokenHintOnLogout());
+
+        if (!omitIdTokenHint && authentication instanceof UaaAuthentication uaaAuthentication && uaaAuthentication.getIdpIdToken() != null) {
             idTokenHint = "&id_token_hint=%s".formatted(uaaAuthentication.getIdpIdToken());
         }
 

server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/OauthIDPWrapperFactoryBean.java

@@ -96,6 +96,7 @@ private AbstractExternalOAuthIdentityProviderDefinition getExternalOIDCIdentityP
                 idpDefinitionMap.get("passwordGrantEnabled") == null ? false : (boolean) idpDefinitionMap.get("passwordGrantEnabled"));
         oidcIdentityProviderDefinition.setSetForwardHeader(idpDefinitionMap.get("setForwardHeader") == null ? false : (boolean) idpDefinitionMap.get("setForwardHeader"));
         oidcIdentityProviderDefinition.setTokenExchangeEnabled(Optional.ofNullable(idpDefinitionMap.get("tokenExchangeEnabled")).filter(Boolean.class::isInstance).map(Boolean.class::cast).orElse(false));
+        oidcIdentityProviderDefinition.setOmitIdTokenHintOnLogout(Optional.ofNullable(idpDefinitionMap.get("omitIdTokenHintOnLogout")).filter(Boolean.class::isInstance).map(Boolean.class::cast).orElse(null));
         oidcIdentityProviderDefinition.setPrompts((List<Prompt>) idpDefinitionMap.get("prompts"));
         setJwtClientAuthentication(idpDefinitionMap, oidcIdentityProviderDefinition);
         oauthIdpDefinitions.put(alias, oidcIdentityProviderDefinition);

server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthLogoutSuccessHandlerTest.java

@@ -110,6 +110,15 @@ void determineTargetUrlWithIdTokenHint() {
                 .isEqualTo("http://localhost:8080/uaa/logout.do?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3Fparameter%3Dvalue&client_id=id&id_token_hint=token");
     }
 
+    @Test
+    void determineTargetUrlWithOmitIdTokenHint() {
+        request.setQueryString("parameter=value");
+        when(uaaAuthentication.getIdpIdToken()).thenReturn("token");
+        oAuthIdentityProviderDefinition.setOmitIdTokenHintOnLogout(true);
+        assertThat(oAuthLogoutHandler.determineTargetUrl(request, response, uaaAuthentication))
+                .isEqualTo("http://localhost:8080/uaa/logout.do?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3Fparameter%3Dvalue&client_id=id");
+    }
+
     @Test
     void determineDefaultTargetUrl() {
         oAuthIdentityProviderDefinition.setLogoutUrl(null);

uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointDocs.java

@@ -704,6 +704,7 @@ void createOidcIdentityProvider() throws Exception {
                 fieldWithPath("config.clientAuthInBody").optional(false).type(BOOLEAN).description("Only effective if relyingPartySecret is defined. Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. It is recommended to set `jwtClientAuthentication:true` instead."),
                 fieldWithPath("config.pkce").optional(true).type(BOOLEAN).description("A flag controlling whether PKCE (RFC 7636) is active in authorization code flow when requesting tokens from the external provider."),
                 fieldWithPath("config.performRpInitiatedLogout").optional(true).type(BOOLEAN).description("A flag controlling whether to log out of the external provider after a successful UAA logout per [OIDC RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)"),
+                fieldWithPath("config.omitIdTokenHintOnLogout").optional(false).type(BOOLEAN).description("Omit the `id_token_hint` parameter when performing RP-Initiated Logout at the OIDC provider."),
                 fieldWithPath("config.userInfoUrl").optional(null).type(OBJECT).description("Reserved for future OIDC use.  This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL."),
                 fieldWithPath("config.logoutUrl").optional(null).type(OBJECT).description("OIDC logout endpoint. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL."),
                 fieldWithPath("config.responseType").optional("code").type(STRING).description("Response type for the authorize request, defaults to `code`, but can be `code id_token` if the OIDC server can return an id_token as a query parameter in the redirect."),