Allow logout_hint instead of id_token_hint

timvanoostrom commented 10 months ago

Checklist

[X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
[X] I have looked into the API documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Is it possible to make id_token_hint optional and allow logout_hint instead? For security/privacy purposes we would like to prevent the id_token be present in any of the GET calls to the IDP server, specifically the route to end_session_endpoint.

Altough the id_token_hint=$id_token param is the recommended way [1] logout_hint better suits our use-case.

[1] https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout

Describe the ideal solution

Make id_token_hint optional and allow logout_hint.

Alternatives and current workarounds

We can of course implement our own request to the end_session_endpoint but that would mean moving out of scope of the library.

Additional context

No response

adamjmcgrath commented 10 months ago

Hi @timvanoostrom - will review this request and get back to you

adamjmcgrath commented 10 months ago

@timvanoostrom - will ship 2.17.1 shortly, when that's available you'll be able to override the id_token_hint param (setting to null or undefined will remove it) and use the logout_hint parameter like so:

app.use(auth({ routes: { logout: false } }));

app.get('/logout', (req, res) =>
  res.oidc.logout({
    logoutParams: {
      id_token_hint: null,
      logout_hint: 'foo',
    },
  })
);

timvanoostrom commented 10 months ago

Thanks Adam!

auth0 / express-openid-connect