Closed timvanoostrom closed 10 months ago
Hi @timvanoostrom - will review this request and get back to you
@timvanoostrom - will ship 2.17.1 shortly, when that's available you'll be able to override the id_token_hint
param (setting to null
or undefined
will remove it) and use the logout_hint
parameter like so:
app.use(auth({ routes: { logout: false } }));
app.get('/logout', (req, res) =>
res.oidc.logout({
logoutParams: {
id_token_hint: null,
logout_hint: 'foo',
},
})
);
Thanks Adam!
Checklist
Describe the problem you'd like to have solved
Is it possible to make
id_token_hint
optional and allowlogout_hint
instead? For security/privacy purposes we would like to prevent the id_token be present in any of the GET calls to the IDP server, specifically the route toend_session_endpoint
.Altough the
id_token_hint=$id_token
param is the recommended way [1]logout_hint
better suits our use-case.[1] https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
Describe the ideal solution
Make
id_token_hint
optional and allowlogout_hint
.Alternatives and current workarounds
We can of course implement our own request to the
end_session_endpoint
but that would mean moving out of scope of the library.Additional context
No response