Add id_token_hint to the post logout redirect uri, to facilitate the …

…direct redirect (without confirmation) with some IdP sofware (keycloak)

lib/omniauth/strategies/openid_connect.rb

@@ -423,8 +423,10 @@ def redirect_uri
       def encoded_post_logout_redirect_uri
         return unless options.post_logout_redirect_uri
 
+        id_token_hint = @access_token.id_token if @acess_token
         URI.encode_www_form(
-          post_logout_redirect_uri: options.post_logout_redirect_uri
+          post_logout_redirect_uri: options.post_logout_redirect_uri,
+          id_token_hint: id_token_hint
         )
       end
 

test/lib/omniauth/strategies/openid_connect_test.rb

@@ -45,7 +45,7 @@ def test_logout_phase_with_discovery
       end
 
       def test_logout_phase_with_discovery_and_post_logout_redirect_uri
-        expected_redirect = 'https://example.com/logout?post_logout_redirect_uri=https%3A%2F%2Fmysite.com'
+        expected_redirect = 'https://example.com/logout?post_logout_redirect_uri=https%3A%2F%2Fmysite.com&id_token_hint'
         strategy.options.client_options.host = 'example.com'
         strategy.options.discovery = true
         strategy.options.post_logout_redirect_uri = 'https://mysite.com'