Honor params passed to logout over defaults (#533)

auth0 · Nov 2, 2023 · 86f5abf · 86f5abf
1 parent cc78f00
commit 86f5abf
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 3 deletions.
diff --git a/lib/context.js b/lib/context.js
@@ -324,9 +324,9 @@ class ResponseContext {
 
       returnURL = client.endSessionUrl({
         ...config.logoutParams,
-        ...params.logoutParams,
-        post_logout_redirect_uri: returnURL,
         id_token_hint,
+        post_logout_redirect_uri: returnURL,
+        ...params.logoutParams,
       });
     } catch (err) {
       return next(err);

diff --git a/test/logout.tests.js b/test/logout.tests.js
@@ -95,7 +95,7 @@ describe('logout route', async () => {
     assert.include(
       response.headers,
       {
-        location: `https://op.example.com/session/end?post_logout_redirect_uri=http%3A%2F%2Fexample.org&id_token_hint=${idToken}`,
+        location: `https://op.example.com/session/end?id_token_hint=${idToken}&post_logout_redirect_uri=http%3A%2F%2Fexample.org`,
       },
       'should redirect to the identity provider'
     );
@@ -297,6 +297,53 @@ describe('logout route', async () => {
     assert.equal(url.hostname, 'foo.com');
   });
 
+  it('should honor logout url arguments over logout params', async () => {
+    const router = auth({
+      ...defaultConfig,
+      idpLogout: true,
+      routes: { logout: false },
+    });
+    server = await createServer(router);
+    router.get('/logout', (req, res) =>
+      res.oidc.logout({
+        logoutParams: { post_logout_redirect_uri: 'http://bar.com' },
+      })
+    );
+
+    const { jar } = await login();
+    const {
+      response: {
+        headers: { location },
+      },
+    } = await logout(jar);
+    const url = new URL(
+      new URL(location).searchParams.get('post_logout_redirect_uri')
+    );
+    assert.equal(url.hostname, 'bar.com');
+  });
+
+  it('should honor logout id_token_hint arguments over default', async () => {
+    const router = auth({
+      ...defaultConfig,
+      idpLogout: true,
+      routes: { logout: false },
+    });
+    server = await createServer(router);
+    router.get('/logout', (req, res) =>
+      res.oidc.logout({
+        logoutParams: { id_token_hint: null },
+      })
+    );
+
+    const { jar } = await login();
+    const {
+      response: {
+        headers: { location },
+      },
+    } = await logout(jar);
+    assert.notOk(new URL(location).searchParams.get('id_token_hint'));
+  });
+
   it('should ignore undefined or null logout params', async () => {
     server = await createServer(
       auth({