🪪 fix: Preserve OIDC Logout ID Token Hint (#12999)

2026-05-13 07:46:47 +00:00 · 2026-05-07 15:39:48 -04:00 · 2026-05-07 15:39:48 -04:00 · 4238dd4471
commit 4238dd4471
parent 8f92ec012c
2 changed files with 26 additions and 1 deletions
--- a/api/server/services/AuthService.js
+++ b/api/server/services/AuthService.js
@ -544,6 +544,8 @@ const setOpenIDAuthTokens = (
     * Falls back to access_token for providers where id_token is not available.
     */
    const appAuthToken = tokenset.id_token || tokenset.access_token;
+    const sessionIdToken = req.session?.openidTokens?.idToken;
+    const logoutIdToken = tokenset.id_token || sessionIdToken;

    /**
     * Always set refresh token cookie so it survives express session expiry.
@ -565,7 +567,7 @@ const setOpenIDAuthTokens = (
    if (req.session) {
      req.session.openidTokens = {
        accessToken: tokenset.access_token,
-        idToken: tokenset.id_token,
+        idToken: logoutIdToken,
        refreshToken: refreshToken,
        expiresAt: expirationDate.getTime(),
      };
--- a/api/server/services/AuthService.spec.js
+++ b/api/server/services/AuthService.spec.js
@ -172,8 +172,31 @@ describe('setOpenIDAuthTokens', () => {
      setOpenIDAuthTokens(tokenset, req, res, 'user-123');

      expect(req.session.openidTokens.accessToken).toBe('the-access-token');
+      expect(req.session.openidTokens.idToken).toBe('the-id-token');
      expect(req.session.openidTokens.refreshToken).toBe('the-refresh-token');
    });
+
+    it('should preserve the existing session id_token when refresh omits one', () => {
+      const tokenset = {
+        access_token: 'new-access-token',
+        refresh_token: 'new-refresh-token',
+      };
+      const req = mockRequest({
+        openidTokens: {
+          accessToken: 'old-access-token',
+          idToken: 'existing-id-token',
+          refreshToken: 'old-refresh-token',
+        },
+      });
+      const res = mockResponse();
+
+      const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123');
+
+      expect(result).toBe('new-access-token');
+      expect(req.session.openidTokens.accessToken).toBe('new-access-token');
+      expect(req.session.openidTokens.idToken).toBe('existing-id-token');
+      expect(req.session.openidTokens.refreshToken).toBe('new-refresh-token');
+    });
  });

  describe('cookie secure flag', () => {