zmartzone · patryk-sob · Jun 10, 2024 · Jun 10, 2024 · Oct 15, 2024 · Oct 15, 2024
diff --git a/README.md b/README.md
@@ -144,6 +144,8 @@ h2JHukolz9xf6qN61QMLSd83+kwoBr2drp6xg3eGDLIkQCQLrkY=
              -- Where should the user be redirected after logout from the RP. This option overides any end_session_endpoint that the OP may have provided in the discovery response.
              --redirect_after_logout_with_id_token_hint = true,
              -- Whether the redirection after logout should include the id token as an hint (if available). This option is used only if redirect_after_logout_uri is set.
+             --redirect_after_logout_with_client_id = true,
+             -- Whether the redirection after logout should include the client id (if available).
              --post_logout_redirect_uri = "https://www.zmartzone.eu/logoutSuccessful",
              -- Where does the RP requests that the OP redirects the user after logout. If this option is set to a relative URI, it will be relative to the OP's logout endpoint, not the RP's.
 

diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -1381,6 +1381,8 @@ local function openidc_logout(opts, session)
     local params = {}
     if (opts.redirect_after_logout_with_id_token_hint or not opts.redirect_after_logout_uri) and session_token then
       params["id_token_hint"] = session_token
+    elseif opts.redirect_after_logout_with_client_id and opts.client_id then
+      params["client_id"] = opts.client_id
     end
     if opts.post_logout_redirect_uri then
       params["post_logout_redirect_uri"] = opts.post_logout_redirect_uri

diff --git a/tests/spec/logout_spec.lua b/tests/spec/logout_spec.lua
@@ -589,3 +589,36 @@ describe("when the configured logout uri is invoked with no active session", fun
     assert.is.Nil(headers["set-cookie"])
   end)
 end)
+
+describe("when logout is invoked and a callback with client id has been configured", function()
+  test_support.start_server({
+      oidc_opts = {
+        discovery = {
+          end_session_endpoint = "http://127.0.0.1/end-session",
+          ping_end_session_endpoint = "http://127.0.0.1/ping-end-session",
+        },
+        redirect_after_logout_uri = "http://127.0.0.1/after-logout",
+        redirect_after_logout_with_id_token_hint = false,
+        redirect_after_logout_with_client_id = true,
+        client_id = "client_id",
+      }
+  })
+  teardown(test_support.stop_server)
+  local _, _, cookie = test_support.login()
+  local _, status, headers = http.request({
+      url = "http://127.0.0.1/default/logout",
+      headers = { cookie = cookie },
+      redirect = false
+  })
+  it("the response redirects to the callback", function()
+    assert.are.equals(302, status)
+    assert.truthy(string.match(headers["location"], "http://127.0.0.1/after%-logout.*"))
+  end)
+  it("the redirect contains the client_id", function()
+    assert.truthy(string.match(headers["location"], ".*%?client_id=.*"))
+  end)
+  it("the session cookie has been revoked", function()
+    assert.truthy(string.match(headers["set-cookie"],
+            "session=; Path=/; SameSite=Lax; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:01 GMT; .*"))
+  end)
+end)