From b3da1d223c9dbb3e5413720884d692d77f8d3351 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 12 Dec 2022 19:02:37 +0000
Subject: [PATCH] providers/proxy: correctly set id_token_hint if possible

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .../outpost/proxyv2/application/application.go    | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go
index 14f1fa07f..db67087a9 100644
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@@ -222,17 +222,24 @@ func (a *Application) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 }
 
 func (a *Application) handleSignOut(rw http.ResponseWriter, r *http.Request) {
-	//TODO: Token revocation
+	redirect := a.endpoint.EndSessionEndpoint
 	s, err := a.sessions.Get(r, constants.SessionName)
 	if err != nil {
-		http.Redirect(rw, r, a.endpoint.EndSessionEndpoint, http.StatusFound)
+		http.Redirect(rw, r, redirect, http.StatusFound)
 		return
 	}
+	if c, exists := s.Values[constants.SessionClaims]; c == nil || !exists {
+		cc := c.(Claims)
+		uv := url.Values{
+			"id_token_hint": []string{cc.RawToken},
+		}
+		redirect += "?" + uv.Encode()
+	}
 	s.Options.MaxAge = -1
 	err = s.Save(r, rw)
 	if err != nil {
-		http.Redirect(rw, r, a.endpoint.EndSessionEndpoint, http.StatusFound)
+		http.Redirect(rw, r, redirect, http.StatusFound)
 		return
 	}
-	http.Redirect(rw, r, a.endpoint.EndSessionEndpoint, http.StatusFound)
+	http.Redirect(rw, r, redirect, http.StatusFound)
 }