add flag to revoke tokens on signout

brockallen · brockallen · commit 32217080bb4b · 2016-10-20T18:46:11.000-04:00
diff --git a/src/OidcClientSettings.js b/src/OidcClientSettings.js
@@ -18,7 +18,7 @@ export default class OidcClientSettings {
         // metadata related
         authority, metadataUrl, metadata, signingKeys,
         // client related
-        client_id, response_type = DefaultResponseType, scope = DefaultScope,
+        client_id, client_secret, response_type = DefaultResponseType, scope = DefaultScope,
         redirect_uri, post_logout_redirect_uri,
         // optional protocol
         prompt, display, max_age, ui_locales, acr_values, resource,
@@ -37,6 +37,7 @@ export default class OidcClientSettings {
         this._signingKeys = signingKeys;
 
         this._client_id = client_id;
+        this._client_secret = client_secret;
         this._response_type = response_type;
         this._scope = scope;
         this._redirect_uri = redirect_uri;
@@ -73,6 +74,9 @@ export default class OidcClientSettings {
             throw new Error("client_id has already been assigned.")
         }
     }
+    get client_secret() {
+        return this._client_secret;
+    }
     get response_type() {
         return this._response_type;
     }
diff --git a/src/TokenRevocationClient.js b/src/TokenRevocationClient.js
@@ -39,11 +39,12 @@ export default class TokenRevocationClient {
             }
 
             var client_id = this._settings.client_id;
-            return this._revoke(url, client_id, accessToken);
+            var client_secret = this._settings.client_secret;
+            return this._revoke(url, client_id, client_secret, accessToken);
         });
     }
 
-    _revoke(url, client_id, accessToken) {
+    _revoke(url, client_id, client_secret, accessToken) {
         Log.info("Calling revocation endpoint");
 
         return new Promise((resolve, reject) => {
@@ -63,6 +64,9 @@ export default class TokenRevocationClient {
             };
 
             var body = "client_id=" + encodeURIComponent(client_id); 
+            if (client_secret) {
+                body += "&client_secret=" + encodeURIComponent(client_secret);
+            }
             body += "&token_type_hint=" + encodeURIComponent(AccessTokenTypeHint);
             body += "&token=" + encodeURIComponent(accessToken);
             
diff --git a/src/UserManager.js b/src/UserManager.js
@@ -298,7 +298,8 @@ export default class UserManager extends OidcClient {
             return this.getUser().then(user => {
                 Log.info("loaded current user from storage");
 
-                return this._revokeInternal(user).then(() => {
+                var revokePromise = this._settings.revokeAccessTokenOnSignout ? this._revokeInternal(user) : Promise.resolve();
+                return revokePromise.then(() => {
 
                     var id_token = args.id_token_hint || user && user.id_token;
                     if (id_token) {
diff --git a/src/UserManagerSettings.js b/src/UserManagerSettings.js
@@ -20,6 +20,7 @@ export default class UserManagerSettings extends OidcClientSettings {
         silentRequestTimeout,
         automaticSilentRenew = false,
         monitorSession = true,
+        revokeAccessTokenOnSignout = false,
         accessTokenExpiringNotificationTime = DefaultAccessTokenExpiringNotificationTime,
         redirectNavigator = new RedirectNavigator(),
         popupNavigator = new PopupNavigator(),
@@ -38,6 +39,7 @@ export default class UserManagerSettings extends OidcClientSettings {
         this._accessTokenExpiringNotificationTime = accessTokenExpiringNotificationTime;
 
         this._monitorSession = monitorSession;
+        this._revokeAccessTokenOnSignout = revokeAccessTokenOnSignout;
 
         this._redirectNavigator = redirectNavigator;
         this._popupNavigator = popupNavigator;
@@ -72,6 +74,9 @@ export default class UserManagerSettings extends OidcClientSettings {
     get monitorSession() {
         return this._monitorSession;
     }
+    get revokeAccessTokenOnSignout() {
+        return this._revokeAccessTokenOnSignout;
+    }
 
     get redirectNavigator() {
         return this._redirectNavigator;
diff --git a/test/unit/OidcClientSettings.spec.js b/test/unit/OidcClientSettings.spec.js
@@ -47,6 +47,15 @@ describe("OidcClientSettings", function () {
         });
     });
 
+    describe("client_secret", function () {
+        it("should return value from initial settings", function () {
+            let subject = new OidcClientSettings({
+                client_secret: 'secret'
+            });
+            subject.client_secret.should.equal("secret");
+        });
+    });
+
     describe("response_type", function () {
         it("should return value from initial settings", function () {
             let subject = new OidcClientSettings({
diff --git a/test/unit/UserManagerSettings.spec.js b/test/unit/UserManagerSettings.spec.js
@@ -155,4 +155,13 @@ describe("UserManagerSettings", function () {
             subject.userStore.should.equal(temp);
         });
     });
+
+    describe("revokeAccessTokenOnSignout", function() {
+        it("should return value from initial settings", function() {
+            let subject = new UserManagerSettings({
+                revokeAccessTokenOnSignout : true
+            });
+            subject.revokeAccessTokenOnSignout.should.equal(true);
+        });
+    });
 });
