fix: allow endSessionUrl defaults to be overriden

panva · Oct 19, 2022 · 7cc2402 · 7cc2402
1 parent 6fd9350
commit 7cc2402
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -42,7 +42,7 @@ openid-client.
     - self_signed_tls_client_auth
 - [RFC9101 - OAuth 2.0 JWT-Secured Authorization Request (JAR)][feature-jar]
 - [RFC9126 - OAuth 2.0 Pushed Authorization Requests (PAR)][feature-par]
-- [OpenID Connect RP-Initiated Logout 1.0 - draft 01][feature-rp-logout]
+- [OpenID Connect RP-Initiated Logout 1.0][feature-rp-logout]
 - [Financial-grade API Security Profile 1.0 - Part 2: Advanced (FAPI)][feature-fapi]
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - ID1][feature-jarm]
 - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 04][feature-dpop]
@@ -272,7 +272,7 @@ See [Customizing (docs)][documentation-customizing].
 [feature-introspection]: https://tools.ietf.org/html/rfc7662
 [feature-mtls]: https://tools.ietf.org/html/rfc8705
 [feature-device-flow]: https://tools.ietf.org/html/rfc8628
-[feature-rp-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-01.html
+[feature-rp-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html
 [feature-jarm]: https://openid.net/specs/openid-financial-api-jarm-ID1.html
 [feature-fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html
 [feature-dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-04

diff --git a/docs/README.md b/docs/README.md
@@ -242,6 +242,7 @@ parameters.
 
 - `parameters`: `<Object>`
   - `id_token_hint`: `<string>` &vert; `<TokenSet>`
+  - `client_id`: `<string>` **Default:** client's client_id
   - `post_logout_redirect_uri`: `<string>` **Default:** If only a single
     `client.post_logout_redirect_uris` member is present that one will be used automatically.
   - `state`: `<string>`

diff --git a/lib/client.js b/lib/client.js
@@ -288,25 +288,26 @@ class BaseClient {
 
     const { post_logout_redirect_uri = length === 1 ? postLogout : undefined } = params;
 
-    let hint = params.id_token_hint;
-    if (hint instanceof TokenSet) {
-      if (!hint.id_token) {
+    let id_token_hint;
+    ({ id_token_hint, ...params } = params);
+    if (id_token_hint instanceof TokenSet) {
+      if (!id_token_hint.id_token) {
         throw new TypeError('id_token not present in TokenSet');
       }
-      hint = hint.id_token;
+      id_token_hint = id_token_hint.id_token;
     }
 
     const target = url.parse(this.issuer.end_session_endpoint, true);
     target.search = null;
-    target.query = {
-      ...params,
-      ...target.query,
-      ...{
+    defaults(
+      target.query,
+      params,
+      {
         post_logout_redirect_uri,
-        id_token_hint: hint,
         client_id: this.client_id,
       },
-    };
+      { id_token_hint },
+    );
 
     Object.entries(target.query).forEach(([key, value]) => {
       if (value === null || value === undefined) {

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -288,6 +288,21 @@ describe('Client', () => {
       ).to.throw(TypeError, 'id_token not present in TokenSet');
     });
 
+    it('allows to override default applied values', function () {
+      expect(
+        url.parse(
+          this.client.endSessionUrl({
+            post_logout_redirect_uri: 'override',
+            client_id: 'override',
+          }),
+          true,
+        ).query,
+      ).to.eql({
+        post_logout_redirect_uri: 'override',
+        client_id: 'override',
+      });
+    });
+
     it('allows for recommended and optional query params to be passed in', function () {
       expect(
         url.parse(