Feature Request - Flag to disable id_token_hint in logout response #3710
Description
Problem
When performing a logout form an external OIDC provider, UAA passes back the id_token_hint by default. This is a required parameter for Okta so single logout does not work with Okta when using OIDC.
This however creates a problem when other OIDC providers have deprecated allowing id_token_hint as one of the returned parameters.
What version of UAA are you running?
v78.5.0
How are you deploying the UAA?
UAA included in cf-deployment
What did you do?
Configured UAA for external OIDC logins for Login.gov. Logged in to UAA using the Login.gov link and then did a logout.
What did you expect to see? What goal are you trying to achieve with the UAA?
Successful logout at Login.gov and redirect back UAA
What did you see instead?
An error for Login.gov stating Id token hint This application is misconfigured and should not be sending id_token_hint. Please send client_id instead.
Upon investigation both client_id and id_token_hint are returned as part of the logout response from UAA's logout.do. Manually removing the id_token_hint from the response completed the logout process.
Ideally this would be configurable per defined external OIDC provider defined.