only use state and post_logout_redirect_uri if we have a id_token_hint on signout

brockallen · brockallen · commit 07af544205c3 · 2016-05-19T15:25:36.000+01:00
diff --git a/src/SignoutRequest.js b/src/SignoutRequest.js
@@ -12,17 +12,20 @@ export default class SignoutRequest {
             throw new Error("url");
         }
 
-        if (data) {
-            this.state = new State({ data });
-            url = UrlUtility.addQueryParam(url, "state", this.state.id);
-        }
-
         if (id_token_hint) {
             url = UrlUtility.addQueryParam(url, "id_token_hint", id_token_hint);
+            
+            if (post_logout_redirect_uri) {
+                url = UrlUtility.addQueryParam(url, "post_logout_redirect_uri", post_logout_redirect_uri);
+                
+                if (data) {
+                    this.state = new State({ data });
+                    
+                    url = UrlUtility.addQueryParam(url, "state", this.state.id);
+                }
+            }
         }
-        if (post_logout_redirect_uri) {
-            url = UrlUtility.addQueryParam(url, "post_logout_redirect_uri", post_logout_redirect_uri);
-        }
+        
         this.url = url;
     }
 }
diff --git a/test/unit/OidcClient.spec.js b/test/unit/OidcClient.spec.js
@@ -45,6 +45,7 @@ describe("OidcClient", function () {
             authority: 'authority',
             client_id: 'client',
             redirect_uri: "http://app",
+            post_logout_redirect_uri: "http://app",
             stateStore: stubStore,
             ResponseValidatorCtor: () => stubValidator,
             MetadataServiceCtor: () => stubMetadataService
@@ -275,7 +276,7 @@ describe("OidcClient", function () {
             stubMetadataService.getEndSessionEndpointResult = Promise.resolve("http://sts/signout");
 
             var p = subject.createSignoutRequest({
-                data:"foo"
+                data:"foo", id_token_hint:'hint'
             });
 
             p.then(request => {
diff --git a/test/unit/SignoutRequest.spec.js b/test/unit/SignoutRequest.spec.js
@@ -45,17 +45,32 @@ describe("SignoutRequest", function() {
             subject.url.indexOf("http://sts/signout").should.equal(0);
         });
 
-        it("should include state", function() {
-            subject.url.should.contain("state=" + subject.state.id);
-        });
-
         it("should include id_token_hint", function() {
             subject.url.should.contain("id_token_hint=hint");
         });
 
-        it("should include post_logout_redirect_uri", function() {
+        it("should include post_logout_redirect_uri if id_token_hint also provided", function() {
             subject.url.should.contain("post_logout_redirect_uri=loggedout");
         });
+        
+        it("should not include post_logout_redirect_uri if no id_token_hint provided", function() {
+
+            delete settings.id_token_hint;
+            subject = new SignoutRequest(settings);
+
+            subject.url.should.not.contain("post_logout_redirect_uri=loggedout");
+        });
+        
+        it("should include state if post_logout_redirect_uri provided", function() {
+            subject.url.should.contain("state=" + subject.state.id);
+        });
+
+        it("should not include state if no post_logout_redirect_uri provided", function() {
+            delete settings.post_logout_redirect_uri;
+            subject = new SignoutRequest(settings);
+            subject.url.should.not.contain("state=");
+        });
+
 
         it("should include id_token_hint, post_logout_redirect_uri, and state", function() {
             var url = subject.url;
