From 91341f4e5649c2ac0c2d0a0973c2256bd7b0fac6 Mon Sep 17 00:00:00 2001
From: Tushar Pandey <tushar.pandey@okta.com>
Date: Thu, 2 Jan 2025 18:24:15 +0530
Subject: [PATCH] do an idp logout even when oidc.isAuthenticated is false

---
 lib/context.js | 41 +++++++++++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/lib/context.js b/lib/context.js
index a872b6cb..cee9d2ba 100644
--- a/lib/context.js
+++ b/lib/context.js
@@ -303,6 +303,31 @@ class ResponseContext {
     try {
       const { client } = await getClient(config);
 
+      /**
+       * Generates the logout URL.
+       *
+       * Depending on the configuration, this function will either perform a local only logout
+       * or a federated logout by redirecting to the appropriate URL.
+       *
+       * @param {string} idTokenHint - The ID token hint to be used for the logout request.
+       * @returns {string} The URL to redirect the user to for logout.
+       */
+      const getLogoutUrl = (idTokenHint) => {
+        // if idpLogout is not configured, perform a local only logout
+        if (!config.idpLogout) {
+          debug('performing a local only logout, redirecting to %s', returnURL);
+          return returnURL;
+        }
+
+        // if idpLogout is configured, perform a federated logout
+        return client.endSessionUrl({
+          ...config.logoutParams,
+          ...(idTokenHint && { id_token_hint: idTokenHint }),
+          post_logout_redirect_uri: returnURL,
+          ...params.logoutParams,
+        });
+      };
+
       if (url.parse(returnURL).host === null) {
         returnURL = urlJoin(config.baseURL, returnURL);
       }
@@ -311,23 +336,15 @@ class ResponseContext {
 
       if (!req.oidc.isAuthenticated()) {
         debug('end-user already logged out, redirecting to %s', returnURL);
-        return res.redirect(returnURL);
+
+        // perform idp logout with no token hint
+        return res.redirect(getLogoutUrl(undefined));
       }
 
       const { idToken: id_token_hint } = req.oidc;
       req[config.session.name] = undefined;
 
-      if (!config.idpLogout) {
-        debug('performing a local only logout, redirecting to %s', returnURL);
-        return res.redirect(returnURL);
-      }
-
-      returnURL = client.endSessionUrl({
-        ...config.logoutParams,
-        id_token_hint,
-        post_logout_redirect_uri: returnURL,
-        ...params.logoutParams,
-      });
+      returnURL = getLogoutUrl(id_token_hint);
     } catch (err) {
       return next(err);
     }