Difficulties obtaining idToken needef for /logout endpoint

[kaobg]

Issue

Not sure if this is classified as a bug or I'm missing something, but in the documentation it is stated that we can only use the autorization code flow, which is fine.

But then for /logout endpoint it is stated that:

It requires an idToken, obtained after successfully authenticating with OpenID Connect, and a URL to redirect back after the logout has been performed.

However, I can't find any way that I can set the response_type to include the 'code id_token' for the /authorize endpoint. The default response_type gets set to 'code' and the server does not return the idToken, which I can then later use for the logout. Because of this I end up sending some invalid string for the idToken param in /logout, which creates problem for the post logout redirect and as a result I end up having to close the custom tab manually after the log out has been completed.

Please let me know if I'm missing anything with the supported logout flow.

---

Environment

• Your Identity Provider: IdentityServer 4
• Platform that you're experiencing the issue on: Android
• Your react-native Version: 0.73.0
• Your react-native-app-auth Version: 7.1.3
• Are you using Expo?: No

[faizplus]

This seems to be config issue for IdentityServer 4 and is unrelated to this open source library and falls under general development help.

[carbonrobot]

@kaobg Does your code differ from our Identity Server 4 example?

https://github.com/FormidableLabs/react-native-app-auth/blob/main/docs/config-examples/identity-server-4.md

If so, can you tell me what options you are using or provide a code example?

[kaobg]

@carbonrobot
Hello, it differs in that I'm not using the revoke endpoint, I'm using the logout endpoint

const authConfig = {
   issuer: "{issuer}",
   postLogoutRedirectUrl: "com.myapp:/ouath2redirect"
}
... 
await logout(authConfig, {
      idToken: ?, // mandatory paramter - check my comment below
      postLogoutRedirectUrl: authConfig.postLogoutRedirectUrl
});

The 'idToken' parameter is mandatory, however I have no way of obtaining it at login because the authorize response type is set to 'code' only internally in the react-native-app-auth library. I think it should be 'code id_token'.

So that leaves me with just using the revoke() method as in the sample you provided
As is, the logout() method cannot be used, unless I'm missing something.

[kaobg]

Keep in mind that if you pass some invalid value for idToken, IdentityServer will display a logout page in the custom tab on which you have to make an extra click to confirm the logout. And it will not follow the PostLogoutRedirectURL in this case. Which is something I would like to avoid obviously.

[carbonrobot]

@kaobg We don't set the scope internally, you can supply that with your configuration as follows. The scopes determine what the OIDC endpoint will return when you call authorize, but the server also needs to be configured to allow that scope. Technically, OIDC specification does not require the id token, but Identity Server only follows the spec loosely.

const config = {
  issuer: 'https://demo.identityserver.io',
  clientId: 'native.code',
  redirectUrl: 'io.identityserver.demo:/oauthredirect',
  scopes: ['openid', 'profile', 'offline_access']
};

Keep in mind that Identity Server endsession endpoint requires a redirect to a browser url, this is their API design and nothing we can change.

ID4 docs: https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html

[kaobg]

@carbonrobot sorry for the very late response.

From the spec:

If a valid id_token_hint is passed, then the client may also send a post_logout_redirect_uri parameter. This can be used to allow >the user to redirect back to the client after sign-out.

That's exactly the behavior I want to achieve, it's fine that we need to open a browser for the endsession but after the session has been successfully ended I want to make use of the post logout redirect uri (which I can't do without supplying an id_token, hence my original question).

[davidfeldt]

I had a similar issue using the authorize endpoint. Kept getting "net.openid.appauth.AuthorizationException: Invalid ID Token" error on physical device. I discovered that it was related to the device not having the correct date/time setting so the id token was seen as invalid. This had nothing to do with a bug / issue with the react-native-app-auth library!!