do an idp logout even when oidc.isAuthenticated is false

auth0 · Jan 2, 2025 · 91341f4 · 91341f4
1 parent 7dbc3b4
commit 91341f4
Showing 1 changed file with 29 additions and 12 deletions.
diff --git a/lib/context.js b/lib/context.js
@@ -303,6 +303,31 @@ class ResponseContext {
     try {
       const { client } = await getClient(config);
 
+      /**
+       * Generates the logout URL.
+       *
+       * Depending on the configuration, this function will either perform a local only logout
+       * or a federated logout by redirecting to the appropriate URL.
+       *
+       * @param {string} idTokenHint - The ID token hint to be used for the logout request.
+       * @returns {string} The URL to redirect the user to for logout.
+       */
+      const getLogoutUrl = (idTokenHint) => {
+        // if idpLogout is not configured, perform a local only logout
+        if (!config.idpLogout) {
+          debug('performing a local only logout, redirecting to %s', returnURL);
+          return returnURL;
+        }
+
+        // if idpLogout is configured, perform a federated logout
+        return client.endSessionUrl({
+          ...config.logoutParams,
+          ...(idTokenHint && { id_token_hint: idTokenHint }),
+          post_logout_redirect_uri: returnURL,
+          ...params.logoutParams,
+        });
+      };
+
       if (url.parse(returnURL).host === null) {
         returnURL = urlJoin(config.baseURL, returnURL);
       }
@@ -311,23 +336,15 @@ class ResponseContext {
 
       if (!req.oidc.isAuthenticated()) {
         debug('end-user already logged out, redirecting to %s', returnURL);
-        return res.redirect(returnURL);
+
+        // perform idp logout with no token hint
+        return res.redirect(getLogoutUrl(undefined));
       }
 
       const { idToken: id_token_hint } = req.oidc;
       req[config.session.name] = undefined;
 
-      if (!config.idpLogout) {
-        debug('performing a local only logout, redirecting to %s', returnURL);
-        return res.redirect(returnURL);
-      }
-
-      returnURL = client.endSessionUrl({
-        ...config.logoutParams,
-        id_token_hint,
-        post_logout_redirect_uri: returnURL,
-        ...params.logoutParams,
-      });
+      returnURL = getLogoutUrl(id_token_hint);
     } catch (err) {
       return next(err);
     }