Support for federated logout via token_id_hint remenbering the id_token


in AMDATUSEC-60: Support state and id_token_hint for openconnectid endsession endpointRESOLVED support is added for federated logout so that state and id_token_hint can be added as parameters. This implementation was incomplete. This PR improves that.

To logout at the openid connect endsession endpoint, the parameter id_token_hint help to tell the identityserver that you want to logoff and be returned to the application. If the parameter is not supplied the identityserver will ask if you want to logon, and logof, but NOT redirect back to the application.

To send that parameter you need to send the id_token that we received during logon. This PR stores the id_token also in the jwt, in the same way as the access token. This token is picked-up when we logoff and the 'endSessionAtLogout' parameter is set. That makes the id_token_hint in the request patch of the logout calls obsolete, so i deprecated that method and added one with only the 'state' parameter.

Second change is to expose the logout as additional endpoint which does not return the federated logout url as a redirect, but as data. In that way we can make a 2 step logout: the first action logsoff locally, and returns the url to logout everywhere. We can give the user a choice to logout everywhere and logon as a new user or to logon at our application again.





Kees van Ginkel



Fix versions