Fix log out error "Missing parameters: id_token_hint"

nexus-main · Feb 28, 2024 · 9448e9f · 9448e9f
1 parent 62264b1
commit 9448e9f
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## v2.0.0-beta.22 - 2024-02-28
+
+### Bugs fixed:
+- Fix log out error "Missing parameters: id_token_hint".
+
 ## v2.0.0-beta.21 - 2023-09-29
 
 ### Features:

diff --git a/src/Nexus/API/UsersController.cs b/src/Nexus/API/UsersController.cs
@@ -32,8 +32,8 @@ internal class UsersController : ControllerBase
 
         // [authenticated]
         // GET      /api/users/me
+        // GET      /api/users/accept-license?catalogId=X
         // POST     /api/users/tokens/generate
-        // POST     /api/users/accept-license?catalogId=X
         // DELETE   /api/users/tokens/{tokenId}
 
         // [privileged]

diff --git a/src/Nexus/Core/NexusAuthExtensions.cs b/src/Nexus/Core/NexusAuthExtensions.cs
@@ -86,7 +86,24 @@ public static IServiceCollection AddNexusAuth(
                     options.ClientSecret = provider.ClientSecret;
 
                     options.CallbackPath = $"/signin-oidc/{provider.Scheme}";
+
+                    /* OIDC spec RECOMMENDS id_token_hint (= id_token) to be added when
+                     * post_logout_redirect_url is specified 
+                     * (https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
+                     * 
+                     * To be able to provide that parameter the (large) ID token must
+                     * become part of the auth cookie. The /connect/logout endpoint in 
+                     * NexusIdentityProviderExtensions.cs is then getting that logout_hint
+                     * query parameter automatically (this has been tested!).
+                     * This parameter then is part of the httpContext.Request.Query dict.
+                     *
+                     * Why do we enable this when this is just recommended? Because newer
+                     * version of Keycloak REQUIRE it, otherwise we get a 
+                     * "Missing parameters: id_token_hint" error.
+                     */
+                    options.SaveTokens = true;
                     options.SignedOutCallbackPath = $"/signout-oidc/{provider.Scheme}";
+
                     options.ResponseType = OpenIdConnectResponseType.Code;
 
                     options.TokenValidationParameters.AuthenticationType = provider.Scheme;

diff --git a/version.json b/version.json
@@ -1,4 +1,4 @@
 {
     "version": "2.0.0",
-    "suffix": "beta.21"
+    "suffix": "beta.22"
 }