Make id_token_hint optional?

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).

MIT License

570 stars 152 forks source link

Make id_token_hint optional? #1371

Open iedokpayintsb opened 1 month ago

iedokpayintsb commented 1 month ago

Login.Gov does not support id_token_hint

We are using axa-fr/react-oidc with Login.gov and have discovered that id_token_hint is deprecated in the logout redirect uri.

axa-fr/react-oidc 7.22.4, react 18.2.0, vite 5.1.4

Screenshots

id_token_hint

Expected

Logout redirects back to application

Actual

Logout redirects to page in screen shot in login.gov sandbox

Installed packages:

guillaume-chervet commented 1 month ago

Hi @iedokpayintsb thank you for your issue. I have to add a test case.

I think if you add a id_token_hint=undefined in extras and also you client_id in extras it should work. I will look at the specification and update this as default behavior if it is necessary. It is simpler to use client_id.

iedokpayintsb commented 1 month ago

Currently we just remove id_token_hint from the final URL with a custom location class.