18F · aduth · Sep 30, 2022 · Sep 28, 2022 · Sep 28, 2022
diff --git a/app.rb b/app.rb
@@ -35,11 +35,9 @@ def config
     end
 
     get '/' do
-
       login_msg = session.delete(:login_msg)
       logout_msg = session.delete(:logout_msg)
       user_email = session[:email]
-      logout_uri = session[:logout_uri]
       userinfo = session.delete(:userinfo)
 
       ial = prepare_step_up_flow(session: session, ial: params[:ial], aal: params[:aal])
@@ -90,7 +88,6 @@ def config
           redirect to('https://www.example.com/')
         else
           session[:login_msg] = 'ok'
-          session[:logout_uri] = logout_uri(token_response[:id_token])
           session[:userinfo] = userinfo_response
           session[:email] = session[:userinfo][:email]
 
@@ -109,7 +106,6 @@ def config
 
     get '/logout' do
       session[:logout_msg] = 'ok'
-      session.delete(:logout_uri)
       session.delete(:userinfo)
       session.delete(:email)
       session.delete(:step_up_enabled)
@@ -254,10 +250,10 @@ def userinfo(id_token)
         with_indifferent_access
     end
 
-    def logout_uri(id_token)
+    def logout_uri
       endpoint = openid_configuration[:end_session_endpoint]
       request_params = {
-        id_token_hint: id_token,
+        client_id: config.client_id,
         post_logout_redirect_uri: File.join(config.redirect_uri, 'logout'),
         state: SecureRandom.hex,
       }.to_query

diff --git a/spec/app_spec.rb b/spec/app_spec.rb
@@ -257,7 +257,7 @@
 
       href = logout_link[:href]
       expect(href).to start_with(end_session_endpoint)
-      expect(href).to include("id_token_hint=#{id_token}")
+      expect(href).to include("client_id=#{CGI.escape(client_id)}")
     end
 
     it 'redirects to root with an error param when there is an access denied' do