Skip to content

fix(auth): guard federated logout on a missing id_token_hint#22

Merged
coopbri merged 1 commit into
masterfrom
fix/signout-idtoken-guard
Jul 10, 2026
Merged

fix(auth): guard federated logout on a missing id_token_hint#22
coopbri merged 1 commit into
masterfrom
fix/signout-idtoken-guard

Conversation

@coopbri

@coopbri coopbri commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Root fix for a sign-out bug every app scaffolded from this template inherited (already patched downstream in herald-app #27/#28, backfeed-app #208, runa-app #86).

Gatekeeper's OIDC end-session endpoint requires id_token_hint, so sign-out 400s ([query.id_token_hint] Invalid input: expected string, received undefined) whenever the id token is absent (e.g. after a token refresh, which doesn't re-issue an id_token). getIdpLogoutUrl now returns null without an id token → local-only sign-out fallback. Extracted the pure URL builder into lib/auth/idpLogout with unit tests. tsc/biome clean.

Root fix: every app scaffolded from this template inherited a sign-out bug.
Gatekeeper's OIDC end-session endpoint requires id_token_hint and rejects a
request without it, so sign-out broke whenever the id token was absent (e.g.
after a token refresh, which does not re-issue an id_token). Already patched
downstream in herald/backfeed/runa.

getIdpLogoutUrl now returns null without an id token, so sign-out falls back to
a local-only sign-out instead of redirecting into a 400. Extracted the pure URL
builder into lib/auth/idpLogout with unit tests.
@coopbri
coopbri merged commit df88fd0 into master Jul 10, 2026
2 of 3 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 10, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant