Full OIDC logout with id_token_hint for provider session termination

Return the OIDC id_token in the callback response so the frontend can store it and pass it as id_token_hint to the provider's end-session endpoint on logout. This lets Authentik (or any OIDC provider) honor the post_logout_redirect_uri and redirect back to the Cameleer login page instead of showing the provider's own logout page. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 16:14:07 +01:00
parent 463cab1196
commit a6f94e8a70
7 changed files with 23 additions and 8 deletions
--- a/ui/src/api/openapi.json
+++ b/ui/src/api/openapi.json
@@ -1602,6 +1602,10 @@
          },
          "displayName": {
            "type": "string"
+          },
+          "idToken": {
+            "type": "string",
+            "description": "OIDC id_token for end-session logout (only present after OIDC login)"
          }
        },
        "required": [
--- a/ui/src/api/schema.d.ts
+++ b/ui/src/api/schema.d.ts
@@ -595,6 +595,8 @@ export interface components {
            accessToken: string;
            refreshToken: string;
            displayName: string;
+            /** @description OIDC id_token for end-session logout (only present after OIDC login) */
+            idToken?: string;
        };
        CallbackRequest: {
            code?: string;
--- a/ui/src/auth/auth-store.ts
+++ b/ui/src/auth/auth-store.ts
@@ -66,6 +66,7 @@ export const useAuthStore = create<AuthState>((set, get) => ({
      }
      const { accessToken, refreshToken, displayName } = data;
      localStorage.removeItem('cameleer-oidc-end-session');
+      localStorage.removeItem('cameleer-oidc-id-token');
      const name = displayName ?? username;
      persistTokens(accessToken, refreshToken, name);
      set({
@@ -93,9 +94,12 @@ export const useAuthStore = create<AuthState>((set, get) => ({
      if (error || !data) {
        throw new Error('OIDC login failed');
      }
-      const { accessToken, refreshToken, displayName } = data;
+      const { accessToken, refreshToken, displayName, idToken } = data;
      const username = displayName ?? 'oidc-user';
      persistTokens(accessToken, refreshToken, username);
+      if (idToken) {
+        localStorage.setItem('cameleer-oidc-id-token', idToken);
+      }
      set({
        accessToken,
        refreshToken,
@@ -137,8 +141,10 @@ export const useAuthStore = create<AuthState>((set, get) => ({

  logout: () => {
    const endSessionEndpoint = localStorage.getItem('cameleer-oidc-end-session');
+    const idToken = localStorage.getItem('cameleer-oidc-id-token');
    clearTokens();
    localStorage.removeItem('cameleer-oidc-end-session');
+    localStorage.removeItem('cameleer-oidc-id-token');
    set({
      accessToken: null,
      refreshToken: null,
@@ -147,9 +153,10 @@ export const useAuthStore = create<AuthState>((set, get) => ({
      isAuthenticated: false,
      error: null,
    });
-    if (endSessionEndpoint) {
+    if (endSessionEndpoint && idToken) {
      const postLogoutRedirect = `${window.location.origin}/login`;
      const params = new URLSearchParams({
+        id_token_hint: idToken,
        post_logout_redirect_uri: postLogoutRedirect,
      });
      window.location.href = `${endSessionEndpoint}?${params}`;