Fixing frontchannel logout in SPA app template

[piraveena]

Purpose

Related Issues

• N/A

Related PRs

• N/A

Checklist

• e2e cypress tests locally verified. (for internal contributers)
• Manual test round performed and verified.
• UX/UI review done on the final implementation.
• Documentation provided. (Add links if there are any)
• Relevant backend changes deployed and verified
• Unit tests provided. (Add links if there are any)
• Integration tests provided. (Add links if there are any)

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines
• Ran FindSecurityBugs plugin and verified report
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets

Developer Checklist (Mandatory)

• Complete the Developer Checklist in the related product-is issue to track any behavioral change or migration impact.

Summary by CodeRabbit

• Bug Fixes
  • Fixed front-channel logout handling for OIDC Single Page Applications: when updating SPA settings the front-channel logout URL is now correctly retained and applied (when front-channel logout is enabled), ensuring consistent behavior with existing back-channel logout configuration and preventing loss of the front-channel logout URL during configuration updates.

[coderabbitai]

Walkthrough

Adds conditional assignment of logout.frontChannelLogoutUrl to the SPA inbound-OIDC serialization: when front-channel logout is enabled the value is taken from form values, otherwise it falls back to initialValues?.logout?.frontChannelLogoutUrl.

Changes

Cohort / File(s)	Summary
SPA Configuration features/admin.applications.v1/components/forms/inbound-oidc-form.tsx	Populate logout.frontChannelLogoutUrl in the SPA update/serialization path when front-channel logout is enabled; fallback to initialValues?.logout?.frontChannelLogoutUrl otherwise, matching back-channel handling.
Changeset .changeset/breezy-plums-call.md	Add patch changeset noting "Fix OIDC Frontchannel logout update bug in SPA template."

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

I’m a rabbit tweaking logout’s map,
I check the front channel before a nap,
If enabled, I set it from the form,
Else fallback keeps the old norm,
Hop—SPA exits smooth and apt. 🐇✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description follows the required template structure but lacks critical implementation details. The Purpose section only contains a screenshot without text explanation, and all checklist items are unchecked.	Add a text description explaining what the bug was, how it was fixed, and provide clear implementation details. Complete the relevant checklist items or explain why they don't apply.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fixing frontchannel logout in SPA app template' accurately summarizes the main change—adding frontChannelLogoutUrl handling to the SPA inbound-OIDC form component.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@features/admin.applications.v1/components/forms/inbound-oidc-form.tsx`:
- Around line 1694-1698: The SPA branch always reads
values.get("frontChannelLogoutUrl") which can be undefined and accidentally
clear an existing URL; update the logout.frontChannelLogoutUrl assignment to
mirror the non‑SPA guard by only using values.get("frontChannelLogoutUrl") when
the front‑channel logout field is shown (isFrontChannelLogoutEnabled /
showFrontChannelLogout), otherwise keep
initialValues?.logout?.frontChannelLogoutUrl; reference the logout object,
frontChannelLogoutUrl key, isFrontChannelLogoutEnabled (or
showFrontChannelLogout), values.get("frontChannelLogoutUrl") and
initialValues?.logout?.frontChannelLogoutUrl when making this conditional
change.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Guard SPA front‑channel logout serialization to avoid unintentionally clearing existing URL.

If showFrontChannelLogout is false (or the field is absent), values.get("frontChannelLogoutUrl") yields undefined, and the payload can serialize logout: {} — which may clear an existing front‑channel logout URL. The non‑SPA path deletes this field based on showFrontChannelLogout, but the SPA path doesn’t. Please mirror that guard or fall back only when the field is visible.

💡 Suggested fix (mirror non‑SPA guard)

         let inboundConfigFormValues: any = {
             accessToken: {
                 accessTokenAttributes: selectedAccessTokenAttributes?.map((claim: ExternalClaim) => claim.claimURI),
                 applicationAccessTokenExpiryInSeconds: Number(metadata?.defaultApplicationAccessTokenExpiryTime),
                 bindingType: values.get("bindingType"),
                 revokeTokensWhenIDPSessionTerminated: getRevokeStateForSPA(values),
                 type: values.get("type"),
                 userAccessTokenExpiryInSeconds: Number(values.get("userAccessTokenExpiryInSeconds")),
                 validateTokenBinding: isDPoPSelected || values.get("ValidateTokenBinding")?.length > 0
             },
             grantTypes: values.get("grant"),
             idToken: {
                 audience: audienceUrls !== "" ? audienceUrls.split(",") : [],
                 expiryInSeconds: Number(values.get("idExpiryInSeconds"))
             },
             logout: {
                 frontChannelLogoutUrl: isFrontChannelLogoutEnabled
-                    ? values.get("frontChannelLogoutUrl")
+                    ? (values.get("frontChannelLogoutUrl") ?? initialValues?.logout?.frontChannelLogoutUrl)
                     : initialValues?.logout?.frontChannelLogoutUrl
             },
             publicClient: true,
             refreshToken: {
                 expiryInSeconds: values.get("expiryInSeconds")
                     ? parseInt(values.get("expiryInSeconds"), 10)
                     : Number(metadata?.defaultRefreshTokenExpiryTime),
                 extendRenewedRefreshTokenExpiryTime: values.get("extendExpiryTime")?.includes("extendExpiryTime"),
                 renewRefreshToken: values.get("RefreshToken")?.length > 0
             },
             subjectToken: {
                 applicationSubjectTokenExpiryInSeconds : values.get("applicationSubjectTokenExpiryInSeconds")
                     ? parseInt(values.get("applicationSubjectTokenExpiryInSeconds"), 10)
                     : ImpersonationConfigConstants.DEFAULT_SUBJECT_TOKEN_EXPIRY_TIME,
                 enable : values.get("SubjectToken")?.length > 0

             }
         };

+        if (!applicationConfig.inboundOIDCForm.showFrontChannelLogout) {
+            delete inboundConfigFormValues.logout;
+        }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	logout: {
	frontChannelLogoutUrl: isFrontChannelLogoutEnabled
	? values.get("frontChannelLogoutUrl")
	: initialValues?.logout?.frontChannelLogoutUrl
	},
	logout: {
	frontChannelLogoutUrl: isFrontChannelLogoutEnabled
	? (values.get("frontChannelLogoutUrl") ?? initialValues?.logout?.frontChannelLogoutUrl)
	: initialValues?.logout?.frontChannelLogoutUrl
	},

🤖 Prompt for AI Agents

In `@features/admin.applications.v1/components/forms/inbound-oidc-form.tsx` around
lines 1694 - 1698, The SPA branch always reads
values.get("frontChannelLogoutUrl") which can be undefined and accidentally
clear an existing URL; update the logout.frontChannelLogoutUrl assignment to
mirror the non‑SPA guard by only using values.get("frontChannelLogoutUrl") when
the front‑channel logout field is shown (isFrontChannelLogoutEnabled /
showFrontChannelLogout), otherwise keep
initialValues?.logout?.frontChannelLogoutUrl; reference the logout object,
frontChannelLogoutUrl key, isFrontChannelLogoutEnabled (or
showFrontChannelLogout), values.get("frontChannelLogoutUrl") and
initialValues?.logout?.frontChannelLogoutUrl when making this conditional
change.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.88%. Comparing base (c67bea3) to head (524b371).
⚠️ Report is 34 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #9590   +/-   ##
=======================================
  Coverage   55.88%   55.88%           
=======================================
  Files          42       42           
  Lines        1020     1020           
  Branches      247      231   -16     
=======================================
  Hits          570      570           
- Misses        416      450   +34     
+ Partials       34        0   -34     

Flag	Coverage Δ
@wso2is/core	55.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 10 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pavinduLakshan]

Let's add changeset