Pass client_id to end-session endpoint

[smarsching]

At the moment, the oidc_handle_logout only passes the id_token_hint and (optionally) the post_logout_redirect_uri to the OP’s end-session endpoint URL when doing the redirect.

This is a problem for us, because our OP does not seem to be able to correctly handle requests that are missing the client_id parameter. The OpenID Connect RP-Initiated Logout 1.0 specification says about the client_id parameter:

OPTIONAL. OAuth 2.0 Client Identifier valid at the Authorization Server. When both client_id and id_token_hint are present, the OP MUST verify that the Client Identifier matches the one used when issuing the ID Token. The most common use case for this parameter is to specify the Client Identifier when post_logout_redirect_uri is used but id_token_hint is not. Another use is for symmetrically encrypted ID Tokens used as id_token_hint values that require the Client Identifier to be specified by other means, so that the ID Tokens can be decrypted by the OP.

So, mod_auth_openidc clearly is standard compliant at the moment as client_id is optional, but as OPs might use symmetrically encrypted ID tokens according to the specification, passing it seems like a good idea. For OPs that do not need this parameter, passing it should not hurt, as it is part of the standard and all compliant OPs should be able to handle it.

Is there any reason why client_id was deliberately not included? If not, I would be willing to provide a PR that adds this parameter (this should only add a few lines of code to oidc_handle_logout.

[zandbelt]

I have a patch lying around that adds support for adding arbitrary parameters to the logout request, I'll add that

[smarsching]

That’s even better. 🙂

[zandbelt]

see a6c2d66

[smarsching]

That’s great! Thank you very much!