Adjust nodejs adapter with OIDC RP-Initiated Logout

Closes #358

Co-authored-by: Jon Koops <[email protected]>

keycloak.d.ts

@@ -413,7 +413,7 @@ declare namespace KeycloakConnect {
 
     loginUrl(uuid: string, redirectUrl: string): string
 
-    logoutUrl(redirectUrl: string): string
+    logoutUrl(redirectUrl: string, idTokenHint?: string): string
 
     accountUrl(): string
 

keycloak.js

@@ -400,10 +400,15 @@ Keycloak.prototype.loginUrl = function (uuid, redirectUrl) {
   return url;
 };
 
-Keycloak.prototype.logoutUrl = function (redirectUrl) {
-  return this.config.realmUrl +
-  '/protocol/openid-connect/logout' +
-  '?redirect_uri=' + encodeURIComponent(redirectUrl);
+Keycloak.prototype.logoutUrl = function (redirectUrl, idTokenHint) {
+  const url = new URL(this.config.realmUrl + '/protocol/openid-connect/logout');
+
+  if (redirectUrl && idTokenHint) {
+    url.searchParams.set('id_token_hint', idTokenHint);
+    url.searchParams.set('post_logout_redirect_uri', redirectUrl);
+  }
+
+  return url.toString();
 };
 
 Keycloak.prototype.accountUrl = function () {

middleware/logout.js

@@ -24,7 +24,9 @@ module.exports = function (keycloak, logoutUrl) {
       return next();
     }
 
+    let idTokenHint = null;
     if (request.kauth.grant) {
+      idTokenHint = request.kauth.grant.id_token.token;
       keycloak.deauthenticated(request);
       request.kauth.grant.unstore(request, response);
       delete request.kauth.grant;
@@ -38,7 +40,7 @@ module.exports = function (keycloak, logoutUrl) {
       const port = headerHost[1] || '';
       redirectUrl = request.protocol + '://' + host + (port === '' ? '' : ':' + port) + '/';
     }
-    const keycloakLogoutUrl = keycloak.logoutUrl(redirectUrl);
+    const keycloakLogoutUrl = keycloak.logoutUrl(redirectUrl, idTokenHint);
 
     response.redirect(keycloakLogoutUrl);
   };

test/keycloak-connect-web-spec.js

@@ -208,6 +208,7 @@ test('Confidential client should be forbidden for invalid public key', t => {
             t.equal(text, 'Access denied', 'Message should be access denied');
           })
             .then(() => page.logout(app.port))
+            .then(() => page.logoutConfirm())
             .then(() => page.get(app.port, '/check-sso'))
             .then(() => page.output().getText().then(text => t.equal(text, 'Check SSO Success (Not Authenticated)', 'User should not be authenticated')))
         );

test/utils/webdriver.js

@@ -145,6 +145,14 @@ ConsolePage.prototype.logout = function (port) {
   });
 };
 
+/**
+ * Confirmation of the logout screen
+ */
+ConsolePage.prototype.logoutConfirm = function () {
+  waitForVisibleElement(By.id('kc-logout'), 100000);
+  return driver.findElement(By.id('kc-logout')).then(webElement => webElement.click());
+};
+
 ConsolePage.prototype.body = () => {
   return driver.findElement(By.tagName('pre'));
 };