From b770cb9a09d1f71b6f6a28e7663968f3f987ee62 Mon Sep 17 00:00:00 2001
From: Andrew Duthie <andrew.duthie@gsa.gov>
Date: Wed, 28 Sep 2022 13:38:34 -0400
Subject: [PATCH 1/2] Use client_id in logout request

Pairs with https://github.com/18F/identity-idp/pull/7017
---
 app.rb | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/app.rb b/app.rb
index 30a46a6..fed3548 100644
--- a/app.rb
+++ b/app.rb
@@ -35,11 +35,9 @@ def config
     end
 
     get '/' do
-
       login_msg = session.delete(:login_msg)
       logout_msg = session.delete(:logout_msg)
       user_email = session[:email]
-      logout_uri = session[:logout_uri]
       userinfo = session.delete(:userinfo)
 
       ial = prepare_step_up_flow(session: session, ial: params[:ial], aal: params[:aal])
@@ -90,7 +88,6 @@ def config
           redirect to('https://www.example.com/')
         else
           session[:login_msg] = 'ok'
-          session[:logout_uri] = logout_uri(token_response[:id_token])
           session[:userinfo] = userinfo_response
           session[:email] = session[:userinfo][:email]
 
@@ -109,7 +106,6 @@ def config
 
     get '/logout' do
       session[:logout_msg] = 'ok'
-      session.delete(:logout_uri)
       session.delete(:userinfo)
       session.delete(:email)
       session.delete(:step_up_enabled)
@@ -254,10 +250,10 @@ def userinfo(id_token)
         with_indifferent_access
     end
 
-    def logout_uri(id_token)
+    def logout_uri
       endpoint = openid_configuration[:end_session_endpoint]
       request_params = {
-        id_token_hint: id_token,
+        client_id: config.client_id,
         post_logout_redirect_uri: File.join(config.redirect_uri, 'logout'),
         state: SecureRandom.hex,
       }.to_query

From 55de0c70ff398c65375710d8a45458ada08ba763 Mon Sep 17 00:00:00 2001
From: Andrew Duthie <andrew.duthie@gsa.gov>
Date: Wed, 28 Sep 2022 13:43:58 -0400
Subject: [PATCH 2/2] Update spec

---
 spec/app_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/app_spec.rb b/spec/app_spec.rb
index 01bfcbe..5c97a86 100644
--- a/spec/app_spec.rb
+++ b/spec/app_spec.rb
@@ -257,7 +257,7 @@
 
       href = logout_link[:href]
       expect(href).to start_with(end_session_endpoint)
-      expect(href).to include("id_token_hint=#{id_token}")
+      expect(href).to include("client_id=#{CGI.escape(client_id)}")
     end
 
     it 'redirects to root with an error param when there is an access denied' do