No OIDC frontchannel logout when session_state is missing in the ID token

[djbgeodan]

Hi Travis,

We use the OIDC plugin with a external IdD. This works great, except the the logout at the IdP does not take place, when the logout handler is called. I think it is caused by the fact that the ID token does not contain the session_state claim. https://github.com/travisghansen/external-auth-server/blob/master/src/plugin/oauth/index.js#L1515C39-L1515C39

In the code there is the comment TODO: this check may not be entirely needed/wanted . So my question is, can this condition be removed?

Regards, Dirk-Jan

[travisghansen]

Reading through some docs and rfcs I think it can be removed. It appears to me that field in the id token is not necessarily common (may be a keycloak-centric behavior) and has no direct tie to the logout functionality. It may be a hint the provider actually supports logout but otherwise seems to have no bearing on the logout process.

I can make the change when I get a moment or you are welcome to submit a PR I can merge.

[travisghansen]

Can you test using the next image tag? It’s a mutable tag so make sure your cluster pulls the newest revision.

[djbgeodan]

Thanks, I've tested it. It's solves our logout issue.

[travisghansen]

I’ve just committed a small change in that same area of code. Can you pull the most recent next image and ensure everything still works as needed?

[djbgeodan]

I've tested it. All seems to work fine.