feat(oxauth): add client_id parameter support to /end_session

Question

feat(oxauth): add client_id parameter support to /end_session

yuriyz opened this issue a year ago · 1 comments

yuriyz commented a year ago

Describe the issue

feat(oxauth): add client_id parameter support to /end_session

Support: 11416

Motivation

Corner case is when session is expired and grant object is expired (or revoked) and AS is not able to identify client.

Obviously if AS can't identify client (due to missed session and id_token_hint) it falls back to global validation via clientWhiteList and allowPostLogoutRedirectWithoutValidation=true.

If we want to avoid global clientWhiteList question is still the same, how AS should figure out client if session and id_token_hint is not there ?

One possible solution is to pass client_id explicitly, so AS will do following:

get client from session
if no session -> get client from id_token_hint
if grant object for id_token_hint is not there -> take client by client_id.
client_id parameter is just an idea, it's not supported however it can be implemented.

Answer 1 · 2023-09-08T10:17:40.000Z

Fixed in 4.6.0 and 4.5.2.