Support state and id_token_hint for openconnectid endsession endpoint


The spec for openid connect supports a redirect back to the application after logout at the authorization server:

There are 2 optional parameters (id_token_hint and state) which influence the way the identity provider shows a logout confirmation and redirects back with the state parameter filled.

In Amdatu Security OpenIdConnectProvider this is not fully supported. When the logout endpoint is called and the provider has the m_config.isEndSessionAtLogout property which can be set to indicate that the authorization server endsession endpoint should be called as well. What is missing is a way to add the state/id_token_parameter.

Add an additional parameter to the /logout endpoint to include a state parameter( e.g. /logout/state/1234). When this parameter is available then the id_token_parameter and state parameter are added to the call to the endsession endpoint.

(To be implemented in/around getEndSessionURI in

Additional bug/note:
The endsessionURl that is constructed as appended with the msg parameter. This is not part of the endsession endpoint specification. If the intention was to append it to the redirect url then it should be url encoded.


(Backreference GLOBE-5903)





Markus Rechtien