keycloak · kbrabrand · Sep 2, 2022
diff --git a/keycloak.js b/keycloak.js
@@ -403,8 +403,11 @@ Keycloak.prototype.loginUrl = function (uuid, redirectUrl) {
 Keycloak.prototype.logoutUrl = function (redirectUrl, idTokenHint) {
   const url = new URL(this.config.realmUrl + '/protocol/openid-connect/logout')
 
-  if (redirectUrl && idTokenHint) {
+  if (idTokenHint) {
     url.searchParams.set('id_token_hint', idTokenHint)
+  }
+
+  if (redirectUrl) {
     url.searchParams.set('post_logout_redirect_uri', redirectUrl)
   }
 

diff --git a/test/unit/keycloak-object-test.js b/test/unit/keycloak-object-test.js
@@ -70,6 +70,24 @@ test('Should verify if logout URL has the configured realm.', t => {
   t.end()
 })
 
+test('Should verify if logout URL includes passed redirect url if provided.', t => {
+  const redirectUrl = 'https://secure.foo.bar'
+  const redirectRgx = new RegExp(`post_logout_redirect_uri=${encodeURIComponent('https://secure.foo.bar')}`)
+
+  t.equal(kc.logoutUrl(redirectUrl).match(redirectRgx) !== null, true)
+  t.end()
+})
+
+test('Should verify if logout URL includes passed redirect url + id token hint if provided.', t => {
+  const idToken = 'abc123'
+  const redirectUrl = 'https://secure.foo.bar'
+  const redirectRgx = new RegExp(`post_logout_redirect_uri=${encodeURIComponent('https://secure.foo.bar')}`)
+
+  t.equal(kc.logoutUrl(redirectUrl, idToken).match(redirectRgx) !== null, true)
+  t.equal(kc.logoutUrl(redirectUrl, idToken).indexOf(idToken) > 0, true)
+  t.end()
+})
+
 test('Should generate a correct UUID.', t => {
   const rgx = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
   t.equal(rgx.test(UUID()), true)