search

IdentityModel / oidc-token-manager

Apache License 2.0
51 stars 36 forks source link

redirectForLogout() ignores post_logout_redirect_uri #59

Closed lexon0011 closed 8 years ago

lexon0011 commented 8 years ago

I have notice, that if I call the redirectForLogout() after the token is expired, the oidc-token-manager redirects to the logout page of the idsrv, but does not redirects back to the given post_logout_redirect_uri.

I found in the oidc-token-manager.js on the line 8066 following instruction:

if (id_token_hint && settings.post_logout_redirect_uri) {
     url += "?post_logout_redirect_uri=" + encodeURIComponent(settings.post_logout_redirect_uri);
     url += "&id_token_hint=" + encodeURIComponent(id_token_hint);
}

I don't understand, why the post_logout_redirect_uri will not be included to the URL, if the id_token_hint is empty? What do you think of the following proposal:

if (settings.post_logout_redirect_uri) {
     url += "?post_logout_redirect_uri=" + encodeURIComponent(settings.post_logout_redirect_uri);
}
if (id_token_hint)
{
     url += "&id_token_hint=" + encodeURIComponent(id_token_hint);
}

Thanks!

leastprivilege commented 8 years ago

The post logout redirect URI will only be honoured by identityserver if the id token hint is sent along.