Skip to content

Handle unauthenticated POST logout() scenarios without parameter id_token_hint #289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sandrstack wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Handle unauthenticated POST logout() scenarios without parameter id_token_hint #289

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion lib/keycloak.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,11 +335,15 @@ export default class Keycloak {
form.style.display = 'none'

// Add data to form as hidden input fields.
// Match behavior of createLogoutUrl() for GET requests.
const data = {
id_token_hint: this.idToken,
client_id: this.clientId,
post_logout_redirect_uri: redirectUri(options)
}
// Only add id token parameter when it is present to avoid error 'invalid id token hint'
if (this.idToken) {
data.id_token_hint = this.idToken
}

for (const [name, value] of Object.entries(data)) {
const input = document.createElement('input')
Expand Down
31 changes: 31 additions & 0 deletions test/tests/login.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ test('logs in and out with default configuration', async ({ page, appUrl, authSe
// After logging out, the user should no longer be authenticated.
expect(await executor.initializeAdapter(initOptions)).toBe(false)
expect(await executor.isAuthenticated()).toBe(false)
// Logout again to simulate a call with an unauthenticated user (id token is not present)
await executor.logout()
// After logging out again, the user should still not be authenticated.
expect(await executor.initializeAdapter(initOptions)).toBe(false)
expect(await executor.isAuthenticated()).toBe(false)
})

test('logs in and out using a URL to the adapter config', async ({ page, appUrl, authServerUrl }) => {
Expand All @@ -39,6 +44,11 @@ test('logs in and out using a URL to the adapter config', async ({ page, appUrl,
// After logging out, the user should no longer be authenticated.
await executor.instantiateAdapter(configUrl.toString())
expect(await executor.initializeAdapter(initOptions)).toBe(false)
// Logout again to simulate a call with an unauthenticated user (id token is not present)
await executor.logout()
// After logging out again, the user should still not be authenticated.
await executor.instantiateAdapter(configUrl.toString())
expect(await executor.initializeAdapter(initOptions)).toBe(false)
})

test('logs in and out using a generic OpenID provider', async ({ page, appUrl, authServerUrl }) => {
Expand All @@ -61,6 +71,11 @@ test('logs in and out using a generic OpenID provider', async ({ page, appUrl, a
// After logging out, the user should no longer be authenticated.
await executor.instantiateAdapter(configOptions)
expect(await executor.initializeAdapter(initOptions)).toBe(false)
// Logout again to simulate a call with an unauthenticated user (id token is not present)
await executor.logout()
// After logging out again, the user should still not be authenticated.
await executor.instantiateAdapter(configOptions)
expect(await executor.initializeAdapter(initOptions)).toBe(false)
})

test('logs in and out without initialization options', async ({ page, appUrl, authServerUrl }) => {
Expand All @@ -75,6 +90,10 @@ test('logs in and out without initialization options', async ({ page, appUrl, au
await executor.logout()
// After logging out, the user should no longer be authenticated.
expect(await executor.initializeAdapter()).toBe(false)
// Logout again to simulate a call with an unauthenticated user (id token is not present)
await executor.logout()
// After logging out again, the user should still not be authenticated.
expect(await executor.initializeAdapter()).toBe(false)
})

test('logs in and out without PKCE', async ({ page, appUrl, authServerUrl }) => {
Expand All @@ -90,6 +109,10 @@ test('logs in and out without PKCE', async ({ page, appUrl, authServerUrl }) =>
await executor.logout()
// After logging out, the user should no longer be authenticated.
expect(await executor.initializeAdapter(initOptions)).toBe(false)
// Logout again to simulate a call with an unauthenticated user (id token is not present)
await executor.logout()
// After logging out again, the user should still not be authenticated.
expect(await executor.initializeAdapter(initOptions)).toBe(false)
})

test("logs in and out with 'POST' logout configured at initialization", async ({ page, appUrl, authServerUrl }) => {
Expand All @@ -105,6 +128,10 @@ test("logs in and out with 'POST' logout configured at initialization", async ({
await executor.logout()
// After logging out, the user should no longer be authenticated.
expect(await executor.initializeAdapter(initOptions)).toBe(false)
// Logout again to simulate a call with an unauthenticated user (id token is not present)
await executor.logout()
// After logging out again, the user should still not be authenticated.
expect(await executor.initializeAdapter(initOptions)).toBe(false)
})

test("logs in and out with 'POST' logout configured at logout", async ({ page, appUrl, authServerUrl }) => {
Expand All @@ -120,6 +147,10 @@ test("logs in and out with 'POST' logout configured at logout", async ({ page, a
await executor.logout({ logoutMethod: 'POST' })
// After logging out, the user should no longer be authenticated.
expect(await executor.initializeAdapter(initOptions)).toBe(false)
// Logout again to simulate a call with an unauthenticated user (id token is not present)
await executor.logout({ logoutMethod: 'POST' })
// After logging out again, the user should still not be authenticated.
expect(await executor.initializeAdapter(initOptions)).toBe(false)
})

test('logs in and checks session status', async ({ page, appUrl, authServerUrl, strictCookies }) => {
Expand Down