The spec RP-Initiated Logout https://openid.net/specs/openid-connect-rpinitiated-1_0.html says:
- Redirection to RP After Logout
In some cases, the RP will request that the End-User's User Agent to be redirected back to the RP after a logout has been performed. Post-logout redirection is only done when the logout is RP-initiated, in which case the redirection target is the post_logout_redirect_uri parameter value sent by the initiating RP. An id_token_hint carring an ID Token for the RP is also RECOMMENDED when requesting post-logout redirection; if it is not supplied with post_logout_redirect_uri, the OP MUST NOT perform post-logout redirection unless the OP has other means of confirming the legitimacy of the post-logout redirection target. The OP also MUST NOT perform post-logout redirection if the post_logout_redirect_uri value supplied does not exactly match one of the previously registered post_logout_redirect_uris values. The post-logout redirection is performed after the OP has finished notifying the RPs that logged in with the OP for that End-User that they are to log out the End-User.
Currently we always throw, that is, stop the execution when id_token_hint is missing when post_logout_redirect_uri is used:
|
if ($idTokenHint === null) { |
Reading the spec, since id_token_hint is RECOMMENDED, we should not stop the execution, but simply not redirect to the post_logout_redirect_uri. We could show our own "you are logged out" page instead.
The spec RP-Initiated Logout https://openid.net/specs/openid-connect-rpinitiated-1_0.html says:
Currently we always throw, that is, stop the execution when
id_token_hintis missing whenpost_logout_redirect_uriis used:simplesamlphp-module-oidc/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php
Line 59 in 4c254af
Reading the spec, since
id_token_hintisRECOMMENDED, we should not stop the execution, but simply not redirect to thepost_logout_redirect_uri. We could show our own "you are logged out" page instead.