feat: allow forwarding of params from client logout

packages/sdk/src/client/client.ts

@@ -17,12 +17,12 @@ import {
 import { serialize } from '../utils';
 import { applyPatch } from 'fast-json-patch';
 import {
-	ResponseError,
-	InputValidationError,
 	AuthorizationError,
-	ValidationResponseJSON,
 	ClientOperationErrorCodes,
+	InputValidationError,
 	NoUserError,
+	ResponseError,
+	ValidationResponseJSON,
 } from './errors';
 import { deepClone } from '../utils/helper';
 
@@ -738,6 +738,12 @@ export class Client {
 			logout_openid_connect_provider: options?.logoutOpenidConnectProvider ? 'true' : 'false',
 		});
 
+		if (options?.parameters) {
+			for (const [key, value] of options.parameters) {
+				params.append(key, value);
+			}
+		}
+
 		const url = this.addUrlParams(`${this.options.baseURL}/auth/cookie/user/logout`, params);
 
 		const response = await this.fetch(url, {

packages/sdk/src/client/types.ts

@@ -184,6 +184,12 @@ export interface LogoutOptions {
 	 * Callback to be run after a succesful logout
 	 * */
 	after?: () => void;
+	/**
+	 * Parameters to be appended to the logout request
+	 * Of particular note is the federated parameter:
+	 * https://auth0.com/docs/authenticate/login/logout/log-users-out-of-idps#alternative-logout
+	 * */
+	parameters?: URLSearchParams;
 }
 
 export type HasRequiredInput<Input extends object | undefined> = Input extends object

pkg/authentication/authentication.go

@@ -851,6 +851,8 @@ type UserLogoutHandler struct {
 	Log             *zap.Logger
 }
 
+const logoutOpenidConnectProvider = "logout_openid_connect_provider"
+
 func (u *UserLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	resetUserCookies(w, r, !u.InsecureCookies)
 	user := UserFromContext(r.Context())
@@ -864,7 +866,7 @@ func (u *UserLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	if strings.ToLower(r.URL.Query().Get("logout_openid_connect_provider")) == "true" {
+	if strings.ToLower(r.URL.Query().Get(logoutOpenidConnectProvider)) == "true" {
 		if err := u.logoutFromProvider(w, r, user); err != nil {
 			if u.Log != nil {
 				u.Log.Warn("could not disconnect user from OIDC provider", zap.Error(err))
@@ -873,6 +875,8 @@ func (u *UserLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+const ForwardedQueryParamsKey = "forwarded_query_params"
+
 func (u *UserLogoutHandler) logoutFromProvider(w http.ResponseWriter, r *http.Request, user *User) error {
 	if user.ProviderName != "oidc" {
 		return fmt.Errorf("user provider %q is not OpenIDConnect", user.ProviderName)
@@ -884,7 +888,17 @@ func (u *UserLogoutHandler) logoutFromProvider(w http.ResponseWriter, r *http.Re
 	if err != nil {
 		return err
 	}
-	result, err := provider.Disconnect(r.Context(), user)
+
+	params := r.URL.Query()
+	// do not forward the "logout_openid_connect_provider" param
+	delete(params, logoutOpenidConnectProvider)
+
+	ctx := r.Context()
+	if len(params) > 0 {
+		ctx = context.WithValue(ctx, ForwardedQueryParamsKey, params)
+	}
+
+	result, err := provider.Disconnect(ctx, user)
 	if err != nil {
 		return err
 	}

pkg/authentication/oidc.go

@@ -381,7 +381,14 @@ func (p *OpenIDConnectProvider) disconnectDefault(ctx context.Context, user *Use
 	return nil, nil
 }
 
-func (p *OpenIDConnectProvider) disconnectAuth0(_ context.Context, _ *User) (*OpenIDDisconnectResult, error) {
+func (p *OpenIDConnectProvider) disconnectAuth0(ctx context.Context, _ *User) (*OpenIDDisconnectResult, error) {
+	params, ok := ctx.Value(ForwardedQueryParamsKey).(url.Values)
+
+	if params != nil && ok {
+		return &OpenIDDisconnectResult{
+			Redirect: fmt.Sprintf("%sv2/logout?client_id=%s&%s", p.config.Issuer, p.clientID, params.Encode()),
+		}, nil
+	}
 	return &OpenIDDisconnectResult{
 		Redirect: fmt.Sprintf("%sv2/logout?client_id=%s", p.config.Issuer, p.clientID),
 	}, nil