fix(multiauth): Add clientId to redirect on signout

Previously we used `id_token_hint`, but it's saved in the cookie. This will instead require a client_id (which identifies your application), so Keycloak knows which application you’re requesting a redirect for.
2026-01-20 14:04:46 +01:00
parent d8d5e076ba
commit 54c40d7acc
1 changed files with 4 additions and 0 deletions
--- a/src/ServerPack/src/MultiAuth.fs
+++ b/src/ServerPack/src/MultiAuth.fs
@@ -296,6 +296,7 @@ let oidOptions (settings: MultiAuthSettings) (o: OpenIdConnectOptions) =
        fun e ->
            task {
                eprintfn "[MultiAuth] RedirectToIdentityProvider: %A" e.Request.Host.Value
+                e.ProtocolMessage.ClientId <- settings.oidc.clientId
                // HACK: For https behind proxy
                e.ProtocolMessage.RedirectUri <- $"https://{e.Request.Host.Value}/signin-oidc"
                return ()
@@ -303,6 +304,9 @@ let oidOptions (settings: MultiAuthSettings) (o: OpenIdConnectOptions) =
    o.Events.OnRedirectToIdentityProviderForSignOut <-
        fun e ->
            task {
+                eprintfn "[MultiAuth] OnRedirectToIdentityProviderForSignOut: %A" e.Request.Host.Value
+                // HACK: Avoid saving tokens
+                e.ProtocolMessage.ClientId <- settings.oidc.clientId
                // HACK: For https behind proxy
                e.ProtocolMessage.PostLogoutRedirectUri <- $"https://{e.Request.Host.Value}/signout-callback-oidc"
                return ()