Add id_token_hint to the post logout redirect uri, to facilitate the direct redirect (without confirmation) with some IdP sofware (keycloak)

CSDUMMI · CSDUMMI · commit 5ff1097303e0 · 2023-03-01T14:47:54.000+01:00
diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
@@ -423,8 +423,10 @@ def redirect_uri
       def encoded_post_logout_redirect_uri
         return unless options.post_logout_redirect_uri
 
+        id_token_hint = @access_token.id_token if @acess_token
         URI.encode_www_form(
-          post_logout_redirect_uri: options.post_logout_redirect_uri
+          post_logout_redirect_uri: options.post_logout_redirect_uri,
+          id_token_hint: id_token_hint
         )
       end
 
diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb
@@ -45,7 +45,7 @@ def test_logout_phase_with_discovery
       end
 
       def test_logout_phase_with_discovery_and_post_logout_redirect_uri
-        expected_redirect = 'https://example.com/logout?post_logout_redirect_uri=https%3A%2F%2Fmysite.com'
+        expected_redirect = 'https://example.com/logout?post_logout_redirect_uri=https%3A%2F%2Fmysite.com&id_token_hint'
         strategy.options.client_options.host = 'example.com'
         strategy.options.discovery = true
         strategy.options.post_logout_redirect_uri = 'https://mysite.com'
