s2t2
commented
6 years ago Reference: Example logout code from the node.js openid client.
Although similar code produces an express redirect error that never resolves:
// Logout from this application and from login.gov
app.get('/auth/login-gov/oidc-logout', function(req, res, next) {
//req.logout();
const logoutUrl = `${loginGov.discoveryUrl}/openid_connect/logout`
console.log("LOGOUT URL", logoutUrl)
res.redirect(logoutUrl, {
search: null,
query: {
id_token_hint: "ABC-123",
state: loginGov.randomString(32),
post_logout_redirect_uri: logoutRedirectUrl
}
});
});
EDIT: a redirect happens without error if the query params are hard-coded into the url string:
res.redirect(requestUrl);
Right now the server doesn't recognize the post-logout redirect url because it doesn't recognize the service provider because it detects the service provider by parsing the token. So next steps should be to pass the proper token, and both of these server errors should go away.
Right now, the logout link signs the user out of this application, but does not also sign them out of login.gov. There are situations where this is desirable, however there are also situations where it would be desirable to also sign the user out of login.gov. For demonstration purposes, this application should present the user with an option to do either.
See: https://developers.login.gov/openid-connect/#logout-request for information about making the logout request: